The updated FFIEC guidance on “Authentication in an Internet Banking Environment” is still not out yet. (The word ‘authentication’ in the title continues to be a source for confusion) We are all waiting to hear what’s in it, and meanwhile, one of the regulation agencies no doubt is holding it up because they don’t want the banks or credit unions they oversee incurring more costs for having to secure their online banking systems. This seems unfair and downright disappointing when you think about how some bank customers incur plenty of costs when they are not protected by Regulation E and have their bank accounts unknowingly raided.
Hopefully the five agencies will come to agreement soon so that they can release the supplement to the 2005 guidance. If it is released, I think we can expect a thoughtful update to what exists, albeit one that will become outdated in less than a year when it comes to some of the detailed suggested measures that are reportedly outlined there.
Here’s what I understand is contained in the hopefully-soon-to-be issued supplement:
a) the best measure in my opinion is requiring financial institutions to explicitly explain to their account holders what types of protections they are afforded or NOT afforded. In other words, business account holders will now have to be explicitly informed that the business holds the bag if their accounts are raided through online banking (unless the bank promises to cover such losses by means of binding contracts between the bank and its customers).
At least this measure finally makes the rules of the game transparent and doesn’t keep them buried in the fine print of long contractual agreements that many customers find hard to read. With the introduction of this measure, customers should not be so shocked when they are not reimbursed by their bank for often crippling losses.
b) The FFIEC supplement will also reportedly require a layered security approach so that banks may not rely on any one authentication or security method — another promising provision.
c) There are reportedly lots more good theories and practices outlined in the supplement, including reinforcement of the need for banks to perform periodic risk assessments (which they should have been doing already under the old guidance), and to make sure they are keeping up with changes in the internal and external threat environment. The guidance also calls out business banking, noting that business transactions often entail higher levels of risk because they involve more money and more money transfers. (Duh… but I suppose the FFIEC needs to remind banks of this, given how some banks currently choose to protect — or rather not protect — business accounts).
d) Where the guidance supplement may fall down, in my opinion, is when it reportedly discourages ‘simple’ client device identification (CDI) and ‘simple’ knowledge based authentication (KBA) and instead encourages the more complex form of each. In response to the 2005 guidance, many U.S. banks implemented simple device tagging with cookies or flash objects for identifying a user at log-in time, and then brought up simple questions that the users had to answer if they logged in from a different machine. Both these measures have been easily defeated by modern day criminals.
Sure a smarter device identification or KBA system will be harder for these crooks to beat but they can still beat them and they will beat them just as soon as the banks upgrade from the simple dumb versions of these techniques to the complex smarter ones. The regulators need to take a look at what’s happened in other parts of the world as well as in the U.S., where just about every single type of user authentication and transaction verification (out of band or in band) method has been beaten. That’s not to say banks shouldn’t continue to strengthen these and other security layers – but it is to say that it’s dangerous to call out the strengthening of specific security layers and subtly imply that by doing so, this can rectify the ills of many current security systems.
You can just imagine many U.S. financial institutions (and their service providers) falling into the same passive attitude and strategy they have had up until now. They may end up thinking their jobs are done when they move to complex CDI and KBA, and may ignore the smarter pieces of the guidance – such as having to conduct ‘periodic risk assessments’ and putting in security measures that mitigate the latest risks, and having to implement ‘layered security’ that doesn’t rely on just one or two controls.
The last guidance was sound in principal and basic tenets – but the implementation got messed up because the guidance referred to specific technical solutions, and the regulatory examinations weren’t tough enough to enforce stronger security.
In any event, let’s just hope the bank lobbyists don’t get their way and keep the guidance from being issued. Even if the guidance is stripped down to just tell banks to warn their unprotected (i.e. business) customers that online banking can be very dangerous to their health and pocketbooks, the regulators will have made substantial headway in protecting the soundness and safety of the U.S. banking system.
At least the banks will be engaging in full disclosure to their customers- a basic tenet that many in the financial services industry and the regulatory bodies that oversee them still seem to be grappling with.
I suppose old habits die hard.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.