Posts Tagged ‘FFIEC authentication guidance’

FFIEC Authentication Guidance Update: The Need for Out Of Band Authentication

ffiec authentication guidanceThe Federal Financial Institutions Examinations Council’s (FFIEC) guidance for financial institutions, which was first issued in 2005, supports the use of strong authentication processes to protect the identities of customer identities and information during transactions that occurred online.

The FFIEC revisited these guidelines and addresses several areas because of the increasing number of identity fraud cases, phishing attacks, malware and man in the middle attacks. The FFIEC authentication guidance update addresses evaluating better risk assessment, adopting stronger authentication standards, using layered security, advanced authentication techniques and providing technology guidance for compliance.

Much of the focus of the FFIEC guidance update is regarding adoption of strong authentication for consumers and commercial banking. Financial institutions need to provide solutions and offer advice to the customers they service in addition to enhancing their online security measures.

The most effective strategy for detecting and preventing banking fraud schemes is to implement the use of layered security. “Layered security,” as defined by the FFIEC is “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Multiple layers of security have been proven to prevent identity attacks. If one security layer fails, the other layer of security is in place to prevent fraud attacks. Layered security options include out of band authentication and advanced transaction verification.

As financial institutions analyze online risks, they need to consider mobile devices as an effective layer for out of band authentication. Financial institutions aren’t doing enough when it comes to using mobile devices as an out of band layers for additional authentication. Most financial institutions are not flexible enough to respond to fraudulent attacks because they have the fraud detection technologies, but they can’t respond to these attacks fast enough to stop them.

The majority of financial institutions rely on risk controls and fraudulent detection technologies that don’t prevent or stop the new kind of attacks. Their security programs are not strong enough to combat these fraud attacks and they need to be building risk and security programs that aid fraud departments. These financial institutions also need to be dedicating budgets to quickly respond to these new kinds of attacks when they’re detected to minimize their losses. It’s not so much that the technology is a problem, but rather the minimal budgeting financial institutions have to combat these attacks.

Many of today’s financial institutions are relying on weak multi factor authentication such as a combination of usernames/passwords and some form of knowledge based authentication such as a question and answer or using a pin number. The FFIEC guidance has a stance on single factor authentication and many online fraud and identity attacks are the result of single factor authentication or weak multi factor authentication.

The FFEIC guidance and recommendations addresses better risk assessments, adopting stronger authentication standards, pushing towards multiple layers of security, exploring advanced authentication techniques and providing technology guidance for compliance.

Driving better risk assessments for financial institutions requires a better understanding of the new attacks and how to respond to them in a timely matter. This includes guidance for regular reviews of the internal systems of banks and the ability of these systems to detect and deal with fraudulent attacks.

Adopting stronger authentication standards is a must with the new types of attacks. User names and passwords aren’t enough to protect customers and neither are weak forms of multi factor authentication. Today’s attacks require stronger means of authentication especially for the high risk transactions such as wire transfers and ACH transactions. A way to adopt stronger authentication is to implement out of band authentication with a mobile device to prevent fraud attacks.

Multiple layers of security are a proven way to prevent fraud attacks which include malware. If one security layer fails, another layer can prevent the fraudulent attack. Security such as out of band authentication and advanced transaction verification can be very effective forms of multiple security layers.

Authentication technology needs to evolve and stay innovative as fraudulent attacks increase in sophistication. Financial institutions can implement mobile devices with out of band authentication and use stronger challenge questions as an example.

Providing technology guidance is a focus of the FFEIC and they provide instruction on technology and solutions such as fraud detection platforms. Other solutions also include fraud transaction monitoring and/or anomaly detection software.

Financial institutions can increase their security and at the same time keep their costs low by implementing out of band authentication solutions. Out of band authentication can be cost effective and a user friendly option since existing devices are already owned by users. This eliminates the high costs of implementing or deploying additional devices. By using a different medium such as a mobile device, smart phone, tablet, email, or SMS, an independent authentication can be delivered to users.

In using an out of band authentication, a customer can enter a one time password when prompted during an online session and the password can be sent through a mobile device. Without using the out of band authentication network (customer’s mobile phone), a transaction cannot be completed and a message can be sent to the customer that an attempt to access an online session was not complete. Out of band authentication is a highly effective technology and can prevent fraud attacks.

Most authentication methods can be comprised by phishing attacks and the focusing needs to be on authenticating transactions to prevent fraud attacks. Financial institutions need to have filters in place for any and all transactions. There is always a risk for fraud, but managing the risk by implanting out of band authentication can help lower these risks dramatically.
Many financial institutions consider out of band authentication a crucial part of preventing fraud, but some institutions find that customers may find using out of band authentication too difficult to implement with their users. The effectiveness of out of band authentication must be balanced with usability so that integration is not an issue for institutions or their customers. When the risk is higher than the cost to implement a security measure, it’s worth it for a financial institution to implement security like out of band authentication to prevent attacks and to protect their customers.