Even though the FFIEC’s new guidance for authenticating digital banking has been in the oven for about six years, it’s still being received as decidedly underdone by the bank tech community.
“Everybody’s throwing a lot of arrows at this guidance,” says Julie Conroy McNelley, an analyst for Aite Group, who then placed her own in the quiver. “Dual authentication should have been emphasized a little more heavily.”
The problem really starts with the banks themselves. Most still use only passwords and either cookies or IP address filters to protect online bank accounts, which is not enough to provide adequate protection from today’s cybercrooks who come armed with botnets, Trojan horses and myriad other break-in tools that have in the past year alone proven effective at breaking inside bank firewalls, as well as the Pentagon and the U.S. Senate.
The FFIEC did take aim at such low levels of protections—it’s almost certain that asking users for the name of their pets as authentication challenge questions is no longer cool. Ballard Spahr’s analysis of the new supplement says the agency recommends a review of authentication methods every 12 months and when new web functions are introduced. The FFIEC also endorses “layers” of protection, where weaknesses in one layer are backed by the strength of another.
That should include at least two such “levels”: institutional reviews of volume and dollar limits for transactions, as well as processes that detect and respond to suspicious activity at the point at which a customer initiates a web banking account and when money is transferred to third parties.
The FFIEC is also calling for enhanced controls for financial institutions over system administrators who manage online access to and configuration of business accounts. These administrators should be required to use one-time passwords for changes to access or account configuration.
Nobody that BTN interviewed disagreed with those measures, but all those contacted say much more specific requirements are necessary to protect online banking, particularly as mobile and social media use become more prevalent, further exposing end user devices and data.
Gartner security specialist Avivah Litan says the guidance’s principles are strong, but its outlined solutions will become “rapidly outdated.”
She says the guidance still falls short in several areas, including a delineation of banks’ and customers’ responsibilities, details on the responsibilities of smaller banks that rely on third party services and minimum requirements for customer education.
The new guidance also suffers from a lack of specific…guidance. “The document keeps referring to layered security - that's a good thing. But how long have we been hearing that? Great that it’s down on paper given that it's so critical. It's the most important step a financial institution can take. But a lot more detail and guidance is required here,” Celent analyst Jacob Jegher recently blogged.
Many also complained that there’s a lack of an outline of specific best practices surrounding authentication before an online transaction is executed—particularly the lack of mandating a second device, or factor, such as a mobile phone authentication being used to “back up” online authentication.
“Elsewhere around the world, two factor is required,” says Ken Hunt, CEO of Vasco Security, who says the fact that most of the world requires two-factor authentication for online banking serves to isolate the U.S. “FFIEC does not require that. It’s almost like a lesson on security. They don’t step forward and say this is the best thing to do. It’s not a directive, it’s a casual conversation.”
McNelley says the guidance should have strongly encouraged behavior monitoring, dual authentication and one-time passwords as best practices. “That would be harder to defeat,” she says. McNelley also says a lack of strong commentary on mobile is another shortcoming. “It would have been great to see a reference to it,” she says. “The NCUA says the FFIEC has a working group that will be doing guidance [for mobile], but based on the pace that we’ve seen, it will be 2013 before we see that.”
An FFIEC spokesperson said the new guidance does cover mobile transactions, but did not produce a representative for a more extensive interview by Thursday evening.
McNelley says many banks will take action on their own, particularly given the media attention paid to high profile incidents in the past year. “A lot of firms will deploy [dual factor] to protect from a reputational risk perspective,” she says.
And there are at least a few new wrinkles points in the latest guidance. Kevin Bocek, a director at IronKey, a security firm, says, “The hardest-hitting and really new recommendation in the FFIEC 2011 guidance is the little-understood idea of secure browsing. The idea of secure browsing is it creates an environment isolated from the PC so that any malware installed on the PC cannot detect, re-direct or interact in any way with the online browsing environment.”
