About Us | Contact Us
View Cart

FFIEC Scores on Supplement to Authentication Guidance

By Dan Hadaway | Thursday, August 4, 2011 - Leave a Comment

Jump to Dan’s Bottom Line

Okay, let me be the first to admit that until today I had not “analyzed” the new authentication guidance.  Like many of my clients, I felt the guidance “couldn’t have come at a worse time.”  I was busy with a hundred projects and couldn’t muster the energy to dive into it on the weekend.

I’m at least proud that Infotex announced the guidance on our portal the day it was released, scan-read it to get the jist, and then struggled for a chance to read it one line at a time, and decipher it.  And, having finally done so, I have to say the FFIEC did a great job on this one.

Fortunately (?) for me I was stranded in an airport today, and it turned out to be a very good read.  I encourage each and every one of you to take the time to fully understand the guidance, even if you’re lucky and have escaped the job of ensuring the bank’s compliance with it.

To help you out, I’m going to share my notes that I took while analyzing it.  They reduce your reading from twelve pages to four, so that might help you.   But I truly do believe that this guidance could be the basis of some management awareness training.

Also, please know that there WILL be a speaker at the Indiana Bankers Association IT Security Conference (link out) on October 12th and 13th that will address the topic in detail.  So, if you really want to maximize the value of the conference, you should at least review my notes before October!


(Please note that this is my own interpretation of what I read.)

Purpose: This guidance updates the 2005 Authentication Guidance to reflect evolving threats, attack tools, and vulnerabilities with internet banking.  It reinforces the 2005 risk management framework (including expectations for periodic risk assessments), and updates expectations regarding customer authentication, layered security, and other controls in the increasingly hostile environment.   It establishes minimum control expectations for “certain on-line banking transactions” and identifies controls that are “less effective.”  It also identifies minimum expectations for customer awareness and education programs.

Background: The bad guys are getting better and banks need to take customer authentication to the next level.  The controls implemented as a response to the 2005 guidance are no longer effective in the battle against fraudsters.

General Supervisory Expectations: Since “virtually every authentication technique can be compromised,” authentication should be implemented by designing a system of layered controls.

Specific Supervisory Expectations: Periodic risk assessments should determine new threats and respond to such threats.  These risk assessments should be conducted with each new product introduction, and at least every twelve months.   Factors to consider while updating your risk assessment include:

  • Changes in the internal and external threat environment (and there’s an appendix listing changes that must be considered.)
  • Changes in the customer base adopting the electronic banking.
  • Changes in customer functionality offered through electronic banking.
  • Actual incidents of security breaches, identity theft, or fraud experienced by the industry (or the institution.)

Customer Authentication for High-Risk Transactions:

Though the FFIEC still defines “high risk transactions” as those transactions involving access to customer information or movement of funds to third parties, they are acknowledging that not all on-line transactions poses the same level of risk.  Therefore, financial institutions should implement more robust controls for high risk transactions.  Infotex is interpreting this to also mean that authentication can therefore be LESS ROBUST for lower risk transactions.

Retail/Consumer Banking:  The FFIEC acknowledges that, since the frequency and dollar amounts of these transactions generally lower than commercial transactions, they pose a comparatively lower risk.  Layered security controls should be applied commensurate with the level of risk.

Business/Commercial Banking:  ACH file origination transactions and frequent interbank wire transfers pose a high risk.  Layered security controls are required by this guidance, and multifactor authentication is “recommended” for business customers.

Layered Security Programs:

Layered security, where the use of different controls at different points where the strength of one control compensates for the weakness of another, is required for high risk transactions.  Effective controls that can be used in a layered approach include:

  • Fraud detection and monitoring systems that consider customer behavior and enable a timely response.
  • Dual customer authentication through different access devices.
  • Out-of-bank verification
  • Positive Pay, Debit Blocks, and other techniques which appropriately limit the transactional use of the account.
  • Enhanced controls over account activities (transaction value thresholds, restricted payment recipients, number of transactions allowed per day, allowable payment windows).
  • IP reputation-based tools.
  • Policies and practices for addressing potentially compromised customer systems.
  • Enhanced controls over account maintenance
  • Enhanced customer education

Minimum Controls:

  • Detect and Respond to Suspicious Activity
    • Anomalous login activity
    • Anomalous Transfers to Third Parties
    • This requires a method of establishing customer’s behavior patterns.
    • Enhanced Controls (Preventative and Detective) for Administrative Functions
      • Setting Access Permissions
      • Modifying account limitations
      • Modifying application configurations
      • Require additional authentication controls (preventive)
        • Out-of-band Authentication
        • Multi-factor Authentication
  • Notifications and Verifications (detective)
    • Text or E-mail Alerting
    • Verification Process prior to implementing changes

Effectiveness of Certain Authentication Techniques:

  • Simple Device Identification
    • Cookies may be copied to the bad guy’s PC.  If you use cookies, you need to change or add other control layers.
    • Geo-location and IP Address Matching can be spoofed with proxies.  If you use this method, you need to change or add other control layers.
    • Complex Device Identification
      • Know that NO device identification method alone is “foolproof.”
      • Digital Fingerprinting, where the authentication process considers several factors (such combining cookies, IP Address Matching, and Geo-location.)
      • “One-time Cookies” are cookies that expire if not on the PC they were originally stored upon.
      • There are ways to detect the use of a proxy and, if one is detected, require additional authentication measures.
      • Challenge Questions
        • Simple questions can often be easily guessed by perpetrators who know the customer.
          • IE:  Mother’s Maiden Name, High School, Year of Graduation, etc.
          • Social Media Sites further decrease the effectiveness of simple challenge questions
  • “Out of Pocket Questions,” renamed by the guidance as “out-of-wallet” questions, require much more difficult to guess answers.
    • Out of Pocket Questions are those questions which require answers not easily discovered in a person’s wallet or purse, or social media site.
    • Examples include:  What was the amount of your last deposit?  What is the amount of your auto loan payment?  When was the last withdrawal over $500?
    • Include “red herring questions” that are more difficult for the fraudster to answer, but obviously nonsensical to the customer.    For example, “What is the amount of your monthly auto payment” to a customer with no auto loan, accompanied by “zero” as the answer.

Customer Awareness and Education

The awareness education program should address both commercial and consumer customers, and include AT A MINIMUM the following (verbatim from the guidance unless italicized):

  • An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access.”  Note:  be sure to translate the above from “compliance-speak” to language the customer can understand.  Infotex can help and will be making boilerplates for this available soon.
  • An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
  • A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;  Note:  Infotex is working on templates and will have some available soon that you can rebrand for your customer can use.
  • A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; Note:   Infotex is still trying to determine exactly what this means.
  • A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.



The appendix drills down into details about the changing threat environment and explains the basics including Trojans, malware, keyloggers, man-in-the-middle attacks, man-in-the-browser attacks, etc.  It then explains various controls that can be implemented to prevent or detect such attacks.   It then suggests the creation of new controls to further enhance the robustness of “layered security,” including:


  • Establish, require and periodically review volume and value limitations or parameters for what activities a business customer in the aggregate, and its enrolled users individually, can functionally accomplish while accessing the online system;
  • Monitor and alert on exception events;  o establish individual transaction and aggregate account exposure limits based on expected account activity;  o establish payee whitelisting (e.g., positive pay) and/or blacklisting;
  • Require every ACH file originating entity to provide a proactive notice of intent to originate a file prior to its submission; and
  • Require business customers to deploy dual control routines over higher risk functions performed online.


Dan’s Bottom-line Summary:

This guidance is good for educational reasons and because it clarifies what needs to happen in order to truly manage the risk associated with “the access vulnerability” on “the electronic banking asset.”  However, it may require some banks to change and it is unclear as to whether we should change BEFORE January 2012, or if examiners are truly going to “start guiding banks,” ie: helping them understand how it pertains to them.

Having said that, I can’t believe somebody examined in first quarter 2012 will be “hammered” if they do not comply with this.  However, they better have their drill-down risk assessment completed, and their assets inventoried and categorized according to risk, and when I say assets I mean “at the granularity evident in this supplement.”


Back to Top


Dan Hadaway CRISC is the managing partner of Infotex.





Latest News
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]