FFIEC Scores on Supplement to Authentication Guidance
Jump to Dan’s Bottom Line
Okay, let me be the first to admit that until today I had not “analyzed” the new authentication guidance. Like many of my clients, I felt the guidance “couldn’t have come at a worse time.” I was busy with a hundred projects and couldn’t muster the energy to dive into it on the weekend.
I’m at least proud that Infotex announced the guidance on our portal the day it was released, scan-read it to get the jist, and then struggled for a chance to read it one line at a time, and decipher it. And, having finally done so, I have to say the FFIEC did a great job on this one.
Fortunately (?) for me I was stranded in an airport today, and it turned out to be a very good read. I encourage each and every one of you to take the time to fully understand the guidance, even if you’re lucky and have escaped the job of ensuring the bank’s compliance with it.
To help you out, I’m going to share my notes that I took while analyzing it. They reduce your reading from twelve pages to four, so that might help you. But I truly do believe that this guidance could be the basis of some management awareness training.
Also, please know that there WILL be a speaker at the Indiana Bankers Association IT Security Conference (link out) on October 12th and 13th that will address the topic in detail. So, if you really want to maximize the value of the conference, you should at least review my notes before October!
(Please note that this is my own interpretation of what I read.)
Purpose: This guidance updates the 2005 Authentication Guidance to reflect evolving threats, attack tools, and vulnerabilities with internet banking. It reinforces the 2005 risk management framework (including expectations for periodic risk assessments), and updates expectations regarding customer authentication, layered security, and other controls in the increasingly hostile environment. It establishes minimum control expectations for “certain on-line banking transactions” and identifies controls that are “less effective.” It also identifies minimum expectations for customer awareness and education programs.
Background: The bad guys are getting better and banks need to take customer authentication to the next level. The controls implemented as a response to the 2005 guidance are no longer effective in the battle against fraudsters.
General Supervisory Expectations: Since “virtually every authentication technique can be compromised,” authentication should be implemented by designing a system of layered controls.
Specific Supervisory Expectations: Periodic risk assessments should determine new threats and respond to such threats. These risk assessments should be conducted with each new product introduction, and at least every twelve months. Factors to consider while updating your risk assessment include:
- Changes in the internal and external threat environment (and there’s an appendix listing changes that must be considered.)
- Changes in the customer base adopting the electronic banking.
- Changes in customer functionality offered through electronic banking.
- Actual incidents of security breaches, identity theft, or fraud experienced by the industry (or the institution.)
Customer Authentication for High-Risk Transactions:
Though the FFIEC still defines “high risk transactions” as those transactions involving access to customer information or movement of funds to third parties, they are acknowledging that not all on-line transactions poses the same level of risk. Therefore, financial institutions should implement more robust controls for high risk transactions. Infotex is interpreting this to also mean that authentication can therefore be LESS ROBUST for lower risk transactions.
Retail/Consumer Banking: The FFIEC acknowledges that, since the frequency and dollar amounts of these transactions generally lower than commercial transactions, they pose a comparatively lower risk. Layered security controls should be applied commensurate with the level of risk.
Business/Commercial Banking: ACH file origination transactions and frequent interbank wire transfers pose a high risk. Layered security controls are required by this guidance, and multifactor authentication is “recommended” for business customers.
Layered Security Programs:
Layered security, where the use of different controls at different points where the strength of one control compensates for the weakness of another, is required for high risk transactions. Effective controls that can be used in a layered approach include:
- Fraud detection and monitoring systems that consider customer behavior and enable a timely response.
- Dual customer authentication through different access devices.
- Out-of-bank verification
- Positive Pay, Debit Blocks, and other techniques which appropriately limit the transactional use of the account.
- Enhanced controls over account activities (transaction value thresholds, restricted payment recipients, number of transactions allowed per day, allowable payment windows).
- IP reputation-based tools.
- Policies and practices for addressing potentially compromised customer systems.
- Enhanced controls over account maintenance
- Enhanced customer education
- Detect and Respond to Suspicious Activity
- Anomalous login activity
- Anomalous Transfers to Third Parties
- This requires a method of establishing customer’s behavior patterns.
- Enhanced Controls (Preventative and Detective) for Administrative Functions
- Setting Access Permissions
- Modifying account limitations
- Modifying application configurations
- Require additional authentication controls (preventive)
- Out-of-band Authentication
- Multi-factor Authentication
- Notifications and Verifications (detective)
- Text or E-mail Alerting
- Verification Process prior to implementing changes
Effectiveness of Certain Authentication Techniques:
- Simple Device Identification
- Geo-location and IP Address Matching can be spoofed with proxies. If you use this method, you need to change or add other control layers.
- Complex Device Identification
- Know that NO device identification method alone is “foolproof.”
- Digital Fingerprinting, where the authentication process considers several factors (such combining cookies, IP Address Matching, and Geo-location.)
- “One-time Cookies” are cookies that expire if not on the PC they were originally stored upon.
- There are ways to detect the use of a proxy and, if one is detected, require additional authentication measures.
- Challenge Questions
- Simple questions can often be easily guessed by perpetrators who know the customer.
- IE: Mother’s Maiden Name, High School, Year of Graduation, etc.
- Social Media Sites further decrease the effectiveness of simple challenge questions
- Simple questions can often be easily guessed by perpetrators who know the customer.
- “Out of Pocket Questions,” renamed by the guidance as “out-of-wallet” questions, require much more difficult to guess answers.
- Out of Pocket Questions are those questions which require answers not easily discovered in a person’s wallet or purse, or social media site.
- Examples include: What was the amount of your last deposit? What is the amount of your auto loan payment? When was the last withdrawal over $500?
- Include “red herring questions” that are more difficult for the fraudster to answer, but obviously nonsensical to the customer. For example, “What is the amount of your monthly auto payment” to a customer with no auto loan, accompanied by “zero” as the answer.
Customer Awareness and Education
The awareness education program should address both commercial and consumer customers, and include AT A MINIMUM the following (verbatim from the guidance unless italicized):
- An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.” Note: be sure to translate the above from “compliance-speak” to language the customer can understand. Infotex can help and will be making boilerplates for this available soon.
- An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically; Note: Infotex is working on templates and will have some available soon that you can rebrand for your customer can use.
- A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; Note: Infotex is still trying to determine exactly what this means.
- A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.
The appendix drills down into details about the changing threat environment and explains the basics including Trojans, malware, keyloggers, man-in-the-middle attacks, man-in-the-browser attacks, etc. It then explains various controls that can be implemented to prevent or detect such attacks. It then suggests the creation of new controls to further enhance the robustness of “layered security,” including:
- Establish, require and periodically review volume and value limitations or parameters for what activities a business customer in the aggregate, and its enrolled users individually, can functionally accomplish while accessing the online system;
- Monitor and alert on exception events; o establish individual transaction and aggregate account exposure limits based on expected account activity; o establish payee whitelisting (e.g., positive pay) and/or blacklisting;
- Require every ACH file originating entity to provide a proactive notice of intent to originate a file prior to its submission; and
- Require business customers to deploy dual control routines over higher risk functions performed online.
Dan’s Bottom-line Summary:
This guidance is good for educational reasons and because it clarifies what needs to happen in order to truly manage the risk associated with “the access vulnerability” on “the electronic banking asset.” However, it may require some banks to change and it is unclear as to whether we should change BEFORE January 2012, or if examiners are truly going to “start guiding banks,” ie: helping them understand how it pertains to them.
Having said that, I can’t believe somebody examined in first quarter 2012 will be “hammered” if they do not comply with this. However, they better have their drill-down risk assessment completed, and their assets inventoried and categorized according to risk, and when I say assets I mean “at the granularity evident in this supplement.”
Dan Hadaway CRISC is the managing partner of Infotex.