New Authentication Guidance

Draft Puts More Responsibility on Banks

A preliminary draft of new online authentication guidance from the Federal Financial Institutions Examination Council puts greater responsibility on the shoulders of financial institutions to enhance their security and prevent fraud.

The FFIEC has yet to formally unveil its long-awaited update to 2005's authentication guidance, but a December 2010 draft document entitled "Interagency Supplement to Authentication in an Internet Banking Environment" was reportedly distributed to the FFIEC's member agencies.

While it's likely that this draft will be amended before the final release of the new guidance, the current document calls for five key areas of improvement:

•Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;

•Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;

•Layered security controls to detect and effectively respond to suspicious or anomalous activity;

•More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;

•Heightened customer education initiatives, particularly for commercial accounts.

Risk Assessments

Risk assessments are addressed first in the draft, leveling some criticism at banking institutions for not being diligent about regular assessments.

The document says risk assessments should include regular reviews of internal systems, analyzing their abilities to:

•Detect and thwart established threats, such as malware;

•Respond to changes related to customer adoption of electronic banking;

•Respond to changes in functionality offered through e-banking;

•Analyze actual incidents of security breaches, identity theft or fraud experienced by the institution;

•Respond to changes in the internal and external threat environment.

Authentication for High-Risk Transactions

The FFIEC's definition of "high-risk transactions" remains unchanged. But the supplement does acknowledge that, since 2005, more consumers and businesses are conducting online transactions.

Layered Security

Layered security includes different controls at different points in a transaction process. If one control or point is compromised, another layer of controls is in place to thwart or detect fraud. Agencies say they expect security programs to include, at minimum:

•Processes designed to detect and effectively respond to suspicious or anomalous activity;

•Enhanced controls for users who are granted administrative privileges to set up users or change system configurations, such as defined users, users' privileges, and application configurations and/or limitations.

Effectiveness of Authentication Techniques

Part of the layered security approach, the draft suggests, should include stronger device identification, which could include use of "one-time" cookies to create a more complex digital fingerprint of the PC by looking at characteristics such as PC configuration, Internet protocol address and geo-location.

Although no device authentication method can mitigate all threats, the supplement says, "the Agencies consider complex device identification to be more secure and preferable to simple device identification."

The need for stronger challenge questions is also noted, as yet another layer institutions can use to authenticate and identify a device and a user.

Customer Education and Awareness

As part of the effort to educate consumer and commercial customers about fraud risks and security measures, the draft states financial institutions should explain what protections are and are not provided under Regulation E. The drafted guidance also suggests banking institutions offer:

•An explanation of under what circumstances and through what means the institution may contact a customer and request the customer's electronic banking credentials;

•A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;

•A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk;

•A listing of institutional contacts for customers' discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Stronger Fraud Detection

Beyond the supervisory expectations, the draft guidance includes an appendix that discusses the current threat landscape and compensating controls, including anti-malware software for customers, as well as transaction monitoring/anomaly detection software.

Similar Guidance in Australia?

Well - I am not sure, if we have something like Federal Financial Institutions Examination Council (FFIEC) or similar council in Australia. Until, we find the answer for the question, we should start using the available guideliness available.