About Us | Contact Us
View Cart

FFIEC Expands IT Examination Handbook

By Vigilize | Tuesday, May 24, 2016 - Leave a Comment

Handbook expanded to cover mobile financial services and their potential threats


Finally, a commitment!

The FFIEC recently issued a new appendix (Appendix E) to its IT Examination Handbook to address mobile financial services (MFS), which cover a wide variety of services from banking institution smartphone applications to third party payment systems such as Apple Pay.

While MFS appear similar to existing computer and internet based services used by financial institutions, and in many cases merely serve as interfaces to existing backend systems, they present new and unique risks that institutions must be aware of.

Examples of MFS provided by Appendix E include:

  • Short Message Service (SMS) banking, wherein a customer may use text messaging to get status updates regarding their account or to receive one-time passwords for authentication.
  • Mobile-enabled websites, which are variants of the financial institution’s web presence specially formatted for display on smaller devices. Users may need to navigate to these sites directly, or the institution’s site may use code to detect the device being used and display the appropriate version.
  • Mobile applications, which are downloadable applications tailored specifically for the device in question, providing a more user-friendly display of data and account services than would be possible with either SMS or a mobile-enabled website.
  • Wireless payment technologies, which allow customers to use their smartphones to make payments at point of sale (POS) terminals or to individuals. These technologies may take the form of a unique account specific to the wireless payment service (billed to the user’s mobile carrier or a linked financial institution) or as a “mobile wallet,” where the details of existing physical cards are stored electronically.

It is important to note that while MFS are often seen as entirely new technologies, they tie-in to existing retail payment channels and require an account at a financial institution for funding: they are not an independent means of payment. Rather, MFS are instead an entirely new risk vector for financial institutions, as they provide consumers a new way to access (and potentially disrupt) existing banking systems.

To that end, the FFIEC has identified multiple risk factors for each of the example MFS mentioned above and detailed them in Appendix E, before going on to provide controls that financial institutions can use to mitigate those risks. Because MFS can often require working with entities outside of the financial sector, including mobile carriers and application developers, there may be a lack of knowledge about the compliance requirements facing financial institutions. In addition, consumers may be unaware of the additional risks MFS may present. In both cases, financial institutions may need to work on communicating these risks and requirements as part of their mitigation efforts.

More specifically, the FFIEC suggests general operational controls that institutions should be considering, including:

  • Appropriate controls to verify a customer’s identity when enrolling for MFS.
  • Appropriate authentication of MFS users once enrolled to prevent fraud, with examples including biometric or out-of-band (e.g. a one-time text verification message if the user is performing an action through a web portal) methods. Additionally the FFIEC suggests MFS not rely on single factor authentication methods entirely.
  • Application development life cycle steps including architecture review and threat modeling, secure coding techniques and detailed code analysis. Additionally, institutions should update applications through secure channels and in a timely fashion, and applications should not retain any sensitive consumer data such as user names and passwords.
  • Applications should use their own set of login credentials separate from those used to access the device itself, and should automatically log users out after a set period of inactivity.
  • Logging and monitoring for all MFS activities which can identify unusual behavior.

In addition to these general operational controls, Appendix E includes suggested controls for the specific types of MFS outlined in the introduction.  For SMS technology, the FFIEC suggests redacting customer information (such as account numbers) due to the inability to encrypt text messages sent via SMS, and also limiting the amount of functionality a customer can access solely via text. Additionally, customers should be made aware of how to avoid phishing messages through SMS.

For mobile-enabled web sites, the FFIEC has a number of suggested controls:

  • Customer training on how to identify compromised sites and how to verify they have reached the resource they intended, how to choose a complex password and the proper methods for securing their mobile devices (e.g. auto-wiping devices after a set number of incorrect password attempts).
  • Requiring web developers to follow a secure development lifecycle and to follow the guidelines established by the Open Web Application Security Project.
  • Detection of the mobile web browser being used to determine whether proper security controls are being implemented, denying use of browsers that do not meet minimum standards.
  • A number of mitigating controls for web design to reduce the risk presented by redirect attacks including hard coded URLs, URL verification, whitelisted URLs and frequent vulnerability scans.

Controls for mobile application risk mitigation include:

  • Policy enforcement and device fingerprinting tools to prevent application use on insecure operating systems, including deprecated versions and jailbroken/rooted devices. Additionally, methods to depreciate older application versions that no longer meet security requirements.
  • Security awareness training for consumers to help them identify insecure application updating techniques (e.g. A link to a website sent via SMS as opposed to using the operating system’s own application store).
  • Making sure applications do not store sensitive consumer information, such as credit card numbers, directly on devices unless adequately protected through encryption or storage within a secured space within the device filesystem. Information should be stored by applications only when necessary.
  • Securing the backend servers that power the MFS application to prevent unauthorized access.
  • Use of online forums, vendor cites and organizations such as US-CERT to maintain awareness of new vulnerabilities, in addition to periodically testing how their MFS works with other mobile services.

The FFIEC also recommends that financial institutions work with mobile payment vendors to minimize potential risks, encouraging the following controls:

  • DDoS mitigation (through traffic filtering).
  • Use of trusted platform modules when available, secure protocols such as SSL/TLS, tokenization to limit transmission of account information, authentication of both users and applications and encryption whenever possible.

Appendix E goes on to detail ways financial institutions can reduce compliance and reputation risk associated with MFS, including consulting with legal counsel to ensure contracts and disclosure agreements cover the new technologies, and making sure controls are in place concerning the storage and transmission of customer details by MFS.

With more consumers relying on mobile financial services to conduct their business and more financial institutions integrating them into their portfolio of services it is well worth the time of your security team to look into the changes presented by this new appendix.



Posted in Articles, Infotex News

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]
    Welcome Cybersecurity Conference Attendees! Thanks for joining us for the Cybersecurity Conference today! We have created this page for you to have access to the deliverables from Dan’s talk.  
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]