For the first time in over five years the Federal Financial
Institutions Examination Council (FFIEC) released a new guidance for online
banking security that will likely prod banks and credit unions to improve the
way they protect customers from fraud and should have channel partners thinking
carefully about who they partner with and how they offer FFIEC-compliant
products and services.
Taking effect in January 2012, the supplemental guidance
offers greater specificity above and beyond the 2005 “Authentication in an
Internet Banking Environment," which focused primarily on requiring banks
to offer two-factor authentication for greater security. However it offered
little in the way of guidance for other layers of security, such as anomaly
detection to prevent fraud or encouraging
general risk management practices within the online banking environment.
"This is long overdue," says with Ori Eisen,
founder and CIO of 41st Parameter, a fraud detection software company.
"The problem that we have today is that a lot of risk controls have been
focused on making the doors stronger or harder to get through by using stronger
authentication, but the problem with that is if that’s the only thing you’re
doing and your authentication is broken, the crooks have unfettered access to
There have been a number of cases in recent years where
business banking customers in particular have had to eat a large chunk of
fraudulent charges after hackers figured out how to game certain two-factor
authentication through malware. Unlike consumers, businesses do not get a
safety net extended by banks in the event of fraud. Often cyber criminals who
target these business customers can manage to steal hundreds of thousands of
dollars if the financial institution doesn’t have enough fraud detection
mechanisms in place.
When banks have been taken to court following these kinds of
theft, they’ve managed to hide behind the old FFIEC guidance as evidence of
‘due care’ taken with customer accounts. But security experts, and now even the
FFIEC, have admitted that those old suggestions were not nearly enough to beat
back today’s brand of financially motivated hackers.
"The 2005 guidance fell short by suggesting technical
measures that quickly became obsolete in the face of today’s more sophisticated
cyberattacks, a fact readily admitted in the 2011 update," wrote Avivah
Litan, Gartner analyst. "The forest — or the sound principals introduced by
the 2005 Guidance – was lost for the trees — or the technical solutions that
the appendix to the 2005 Guidance outlined, many of which fell flat on their
face when it came to protecting customer bank accounts."
This acknowledgement that essentially any type of authentication
suitable for online banking can be defeated in some way or another is a breath of fresh air to some proponents of fraud
"I think that was a great acknowledgement and really
set forth that and encouraged banks to look at risk in a more even and specific
way," says Tiffany Riley, vice president of marketing for Guardian
Analytics, a fraud detection software firm. "They provided more
specificity into their minimum expectations for the types of security programs
that institutions should have in place and it is a great step forward."
According to Riley, the two biggest improvements set out by
the FFIEC update are suggestions for technology to detect anomalous behavior
and effectively respond, and also the requirement for greater security in the
administrative controls on the banking side should the bank itself get hacked.
Litan does wonder, though, at whether the FFIEC repeated
some of the same mistakes it made in 2005.
" I think the industry would have been better off with
a guidance document that stuck to the principles," she said. "The
FFIEC has not steered away from outlining technical measures and attack vectors
that the banks will build their security to in the next few years. The cycle
will likely repeat. The attacks will get more sophisticated, and will use new
techniques that are not addressed in the details of the guidance."
Regardless, experts believe this new guidance could be a
huge opportunity for channel providers that cater to the financial vertical.
"I think the VARS and the MSPs have to go beyond the
simple authentication which was OK five years ago when the last FFIEC guidance
was published and really adopt new partners and technology to get the true
spirit of what this guidance is really about," Eisen says. "If you
help customers with risk management and the fraud detection layer we’ve been
missing all this time, you’ll do a few things in one fell swoop: you’ll become
more valuable to your banks, you’ll protect the bank and you’ll protect all consumers
better as an end result."
"It certainly offers partners an opportunity to look
and see what it means for solutions and approaches they can sell into their
financial services customers," she says. If you can take them to the next
level and deliver end-to-end solutions and be a one-stop shop in adding a new
level of security to meet the guidelines, that’s a very strong business value