On June 29, 2011, the Federal Financial Institutions Examination Council (the “FFIEC” or the “Council”) issued new guidelines to assist financial institutions in protecting sensitive customer account data against cyberfraud. The guidelines can be accessed at this link. The new guidelines (the “Supplement”), issued as a supplement to the Council’s 2005 guidance entitled Authentication in an Internet Banking Environment (“2005 Guidance”), encourage financial institutions to perform periodic risk assessments, implement layered security controls, update their authentication techniques, and educate their customers about their security practices in Internet transactions.
While the Supplement is applicable to financial institutions, it provides important guidance and best practices that can assist all companies with designing and implementing authentication measures and safeguards.
The FFIEC, a government interagency body charged with setting uniform standards for the financial industry, issued the Supplement as a response to several developments in the Internet threat landscape over the last six years. These developments include the prevalence of increasingly sophisticated hacker methods, an increased specialization in financial fraud by criminal groups, and a growth of automated attack tools aimed at less experienced users.
In addition to stressing the importance of performing periodic risk assessments, the Supplement encourages institutions to implement security controls proportionate to the risk level of the transaction. For example, commercial banking and other high risk transactions necessitate a system of layered security controls, rather than a single control.
Layered Security Programs
To a larger extent than the 2005 Guidance, the Supplement relies on layered security, which it defines as the use of different controls at different points in a transaction so that weaknesses in one control can be compensated for by the strength of a different control. While layered security often involves the use of several controls on the same transaction, the Council expects that an institution’s layered security program will contain, at a minimum, two features: (1) the processes to detect and respond to suspicious activity related to initial log-in and the transferring of funds; and (2) enhanced security controls for system administrators.
Device and Customer Authentication
The Council also updated its previous guidelines for device and user identification. The Supplement replaces the recommendation of simple device identification with a more sophisticated form of device identification. While simple identification involves loading a cookie on a customer’s computer to confirm that it was the same computer previously utilized by the customer, the Supplement’s approach to device identification uses “one-time” cookies to create a more complex digital fingerprint. Because of the accuracy of this new method of device identification, the Council discourages institutions from using simple device identification as a primary security control.
Finally, the Supplement recommends an improvement to basic challenge questions, which are often used to re-authorize a customer. Given the amount of personal information that is often readily available on the Internet, the Supplement states that basic challenge questions are no longer effective as primary security controls. To be effective, the Council states, the user should be required to answer multiple “out of wallet” questions about personal information not typically publicly available, such as “What was the color of your first car?” and “What is your shoe size?”
An appendix to the Supplement discusses two particularly sophisticated and effective cyberfraud attack tools: keylogging and “man-in-the-middle” attacks. Keylogging involves tracking and recording a customer’s keystrokes through sophisticated malware installed surreptitiously on a customer’s computer. A man-in-the-middle attack involves intercepting a customer’s authorization credentials and using them to log into the customer’s account.
The appendix recommends several tools to counter these attacks: anti-malware software; transaction monitoring and anomaly detection software, which monitors online banking activity for suspicious funds transfers; “out-of-band” authentication, which requires a transaction initiated through one delivery channel (e.g. Internet) to be verified through an independent delivery channel (e.g. telephone); USB devices that bypass a customer’s computer’s operating system and application software, ensuring a secure link between the computer and the financial institution; and the use of restricted funds transfer recipient lists.