Finally, we can breathe a sigh of relief! The FFIEC finally issued an update to its 2005 Guidance on “Authentication in an Internet Banking Environment,” a document that instigated many of the security improvements we have seen over the past 5 years in online banking. But the 2005 guidance fell short by suggesting technical measures that quickly became obsolete in the face of today’s more sophisticated cyberattacks, a fact readily admitted in the 2011 update.
The forest — or the sound principals introduced by the 2005 Guidance – was lost for the trees — or the technical solutions that the appendix to the 2005 Guidance outlined, many of which fell flat on their face when it came to protecting customer bank accounts.
I’m afraid that could happen again this time since the FFIEC has not steered away from outlining technical measures and attack vectors that the banks will build their security to in the next few years. The cycle will likely repeat. The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance.
In the regulators’ defense, many of their constituents want them to suggest detailed solutions, so the regulators do have to balance that need with the reality that the threat landscape will continue to morph quickly and the ‘suggested’ solutions will get out of date.
I think the industry would have been better off with a guidance document that stuck to the principles. Here the FFIEC Guidance did a really good job outlining the need for layered security measures, giving broad examples of layered security controls, specifying detection and response strategies, as well as offering sound advice on administrative controls, and customer awareness and education. It would have been advantageous if they had moved the details on device identification and challenge questions, and the appendix discussion on technical controls, to an entirely separate document that was updated on an (at least) annual basis.
Still, in the end, it was good to see all five U.S. financial regulatory agencies get on board as they needed to. (It appears that at least one of the five regulatory agencies was holding up the guidance release until now). Of course it’s a couple of years too late for many small (and large) American businesses who lost hundreds of millions of dollars in cyberfraud, which turned out to be unrecoverable, by U.S. law, from their banks. (See https://blogs.gartner.com/avivah-litan/2011/06/07/judicial-decision-favors-bank-over-defrauded-business-regulatory-blunder/). Hopefully, the updated guidance can be used by customers who suffer future cyberfraud to establish a baseline for what they can reasonably expect from their banks when it comes to electronic banking security measures.
In sum, there are some very positive aspects to the updated guidance, but there are still pieces that are missing or lacking.
First the positives:
a) The guidance clearly outlines the need for a system of layered security and repeats, as it should, the fact that virtually every authentication technique can be compromised. The last FFIEC guidance in this area spent too much time on specific authentication measures and not enough on a layered security approach.
b) It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so.
c) It emphasizes a risk-based approach where controls are strengthened as risk increases.
d) It clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry incorrectly assumed it was mainly directed towards consumer accounts.
e) It outlines process changes that should be implemented to mitigate risk, including the use of ‘positive pay’, debit blocks, dual customer authorization, etc, and does not focus solely on technology measures. The last guidance did not include this aspect.
f) It calls out the need to control privileged user access to sensitive applications. The 2005 guidance did not address this dimension.
g) It clearly tells financial institutions that the techniques many of them have relied upon, i.e. simple device identification and easily exposed challenge questions, are not good enough anymore given today’s threat landscape.
But the guidance still falls short in several areas, in my opinion:
a) Its wording is too wishy washy when it comes to delineating bank responsibility from customer responsibility. It uses words like ‘could have prevented’ or ‘suggestion’ too often. The regulators should be more matter of fact in setting out the guidelines and principles. For example, they should tell banks that they NEED to detect and STOP money transfers that are CLEARLY OUT OF THE ORDINARY when compared with the customer’s established pattern of behavior. (See bottom of page 10 for example).
b) There is nothing in the guidance that specifically addresses the needs and requirements of small banks (which constitute over 80% of the U.S. bank population in terms of number of institutions) that rely on third party service providers for online banking and online banking security. Where’s the guidance for them?
c) The guidance is much too unclear on Customer Awareness and Education . (See Page 7). It does say that banks need to explain to their customers what protections are provided — and not provided — to account holders relative to electronic fund transfer. But it makes no mention of HOW they need to impart this explanation. So banks can still get away with burying the explanations on protections to their business customers in long multi-page wordy contracts printed in very small font, which customers may not read. Or if they do, they may continue to not notice how limited the protections are. The FFIEC should have established minimum requirements on what clear disclosure looks like.
d) Much of the guidance is backwards looking. The FFIEC guidance does a good job of addressing yesterday’s threats and suggested techniques for defeating them, but it is not sufficiently forward looking. For example, it spends a good amount of time and space on out of band authentication and transaction verification techniques, as it should, but does not sufficiently discuss what that should look like in the coming age of mobile banking from smartphones or tablets.
Likewise, it spends a good amount of time on addressing threats from attacks to PC-based electronic banking, but does not address telephone banking attacks that can take various forms. Surely the threats will change substantially over the next five years. Given that the guidance is specific in its discussion about the techniques used to prevent yesterday’s attacks, it should devote more time describing how those attacks are likely to change. (Granted that’s a very difficult thing to do).
Either that or — much better yet — it should steer clear of embellishing the details of attacks and various technical solutions because soon, the controls outlined in the appendix to the guidance will be ‘so last year’. And then we will all be bothering the regulators to update the guidance once again…