FFIEC Online Banking Security Guidance a Big Opportunity for Solution Providers
For the first time in over five years the Federal Financial Institutions Examination Council (FFIEC) released a new guidance for online banking security that will likely prod banks and credit unions to improve the way they protect customers from fraud and should have channel partners thinking carefully about who they partner with and how they offer FFIEC-compliant products and services.
Taking effect in January 2012, the supplemental guidance offers greater specificity above and beyond the 2005 "Authentication in an Internet Banking Environment," which focused primarily on requiring banks to offer two-factor authentication for greater security. However it offered little in the way of guidance for other layers of security, such as anomaly detection to prevent fraud or encouraging general risk management practices within the online banking environment.
"This is long overdue," says with Ori Eisen, founder and CIO of 41st Parameter, a fraud detection software company. "The problem that we have today is that a lot of risk controls have been focused on making the doors stronger or harder to get through by using stronger authentication, but the problem with that is if that's the only thing you're doing and your authentication is broken, the crooks have unfettered access to all accounts."
There have been a number of cases in recent years where business banking customers in particular have had to eat a large chunk of fraudulent charges after hackers figured out how to game certain two-factor authentication through malware. Unlike consumers, businesses do not get a safety net extended by banks in the event of fraud. Often cyber criminals who target these business customers can manage to steal hundreds of thousands of dollars if the financial institution doesn't have enough fraud detection mechanisms in place.
When banks have been taken to court following these kinds of theft, they've managed to hide behind the old FFIEC guidance as evidence of 'due care' taken with customer accounts. But security experts, and now even the FFIEC, have admitted that those old suggestions were not nearly enough to beat back today's brand of financially motivated hackers.
"The 2005 guidance fell short by suggesting technical measures that quickly became obsolete in the face of today’s more sophisticated cyberattacks, a fact readily admitted in the 2011 update," wrote Avivah Litan, Gartner analyst. "The forest — or the sound principals introduced by the 2005 Guidance – was lost for the trees — or the technical solutions that the appendix to the 2005 Guidance outlined, many of which fell flat on their face when it came to protecting customer bank accounts."
This acknowledgement that essentially any type of authentication suitable for online banking can be defeated in some way or another is a breath of fresh air to some proponents of fraud detection technology.
"I think that was a great acknowledgement and really set forth that and encouraged banks to look at risk in a more even and specific way," says Tiffany Riley, vice president of marketing for Guardian Analytics, a fraud detection software firm. "They provided more specificity into their minimum expectations for the types of security programs that institutions should have in place and it is a great step forward."
According to Riley, the two biggest improvements set out by the FFIEC update are suggestions for technology to detect anomalous behavior and effectively respond, and also the requirement for greater security in the administrative controls on the banking side should the bank itself get hacked.
Litan does wonder, though, at whether the FFIEC repeated some of the same mistakes it made in 2005.
" I think the industry would have been better off with a guidance document that stuck to the principles," she said. "The FFIEC has not steered away from outlining technical measures and attack vectors that the banks will build their security to in the next few years. The cycle will likely repeat. The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance."
Regardless, experts believe this new guidance could be a huge opportunity for channel providers that cater to the financial vertical.
"I think the VARS and the MSPs have to go beyond the simple authentication which was OK five years ago when the last FFIEC guidance was published and really adopt new partners and technology to get the true spirit of what this guidance is really about," Eisen says. "If you help customers with risk management and the fraud detection layer we've been missing all this time, you'll do a few things in one fell swoop: you'll become more valuable to your banks, you'll protect the bank and you'll protect all consumers better as an end result."
"It certainly offers partners an opportunity to look and see what it means for solutions and approaches they can sell into their financial services customers," she says. If you can take them to the next level and deliver end-to-end solutions and be a one-stop shop in adding a new level of security to meet the guidelines, that's a very strong business value proposition."