Tuesday, July 23, 2019

IT security: Is your program still effective?

Posted by OnCourse Staff January 17, 2014 11:49am

Photo Credit: BankWire

As online banking services become more sophisticated and more widely used, IT security measures that were effective only a few years ago may no longer be enough. In June 2011, the FFIEC issued Supplement to Authentication in an Internet Banking Environment, urging banks to tighten their controls on customer authentication. The FFIEC chose to revisit guidance originally issued in 2005 because common authentication methods and controls have “become less effective” in an “increasingly hostile online environment.” In light of the updated guidance, your bank should conduct an IT risk assessment and, if needed, implement more-complex customer authentication procedures as well as extra layers of protection.

Hackers increasingly sophisticated

Many banks responded to the 2005 guidance by implementing simple authentication procedures. But the FFIEC now recognizes that these techniques are insufficient to thwart today’s hackers. For example, a bank might load a “cookie” onto a customer’s computer to confirm that the username and password match the computer originally used to enroll the customer. But today hackers can easily copy these cookies to their own computers and then use them to impersonate the customer. A more effective approach is to use more complex device identification techniques, which use “onetime” cookies to confirm not only the computer’s configuration, but also its IP address, location and other characteristics.

Simple “challenge” questions also are vulnerable, because hackers can easily learn the answers — such as the customer’s mother’s maiden name or the street where the customer grew up — with a little research. A better approach is to 1) design challenge questions based on nonpublic information, 2) include “red herring” questions that will trip up hackers but that customers will recognize as nonsensical, and 3) set up multiple challenge questions and use different sets of questions in each online banking session.

Layered security offers more protection

It’s no longer sufficient to rely on one form of customer authentication, according to the FFIEC. The supplementary guidance recommends “layered security,” which means different controls at different points in6 the transaction process. This allows the strength of one control to compensate for weaknesses in other controls.

The number of layers depends on the level of risk. According to the FFIEC, for example, commercial customers generally present more risk than retail customers. That’s because commercial customers tend to conduct more frequent transactions in higher dollar amounts and make more use of ACH file origination and interbank wire transfers. One of the most effective layering strategies is “out-of-band” authentication of high-risk transactions. In other words, a transaction initiated through one channel — the Internet, for instance — must be verified or reauthenticated through another channel, such as the telephone. Once a transaction has been authenticated by a customer via computer, for example, some banks require the customer to input a code sent by text message to the customer’s cell phone. These measures are important because even multiple authentications via the same device are vulnerable to attack. Consider key logging malware. These software programs, which can be installed by visiting an infected website or downloading an e-mail attachment, record a customer’s computer keystrokes and transmit them over the Internet to a hacker.

Because the malware can be used to steal a customer’s logon ID and password, as well as the answers to challenge questions, it can overcome dual authentication strategies. Out-of-band authentication makes this far more difficult. Antimalware software can provide an additional layer of protection. Like antivirus software, these programs help prevent, detect and remove malware before a hacker has a chance to use it.

Regulators call for other controls

The new guidance also recommends these tools and tactics:

  • Fraud monitoring and detection systems, which alert the bank to anomalies based on a customer’s history and behavior patterns,
  • Positive pay, which limits check payment to those on a preapproved list supplied by the customer,
  • Transaction limits (on transaction value, payment recipients or number of transactions per day),
  • Payment windows, which restrict payments to certain days and times
  • Read-only USB devices that customers plug into their computers to create a secure channel directly to the bank’s servers and that aren’t susceptible to malware.
It’s also important to show customers how to protect themselves. Banks should educate customers on, for example, how to select an effective password, whom to contact in case of suspicious activity, and the circumstances under which the bank might request the customer’s authentication information.

Get with the program

To ensure that your bank’s IT security program continues to be effective in the current environment, conduct periodic risk assessments and enhance your controls and customer education efforts as needed. Implementing the FFIEC’s supplementary guidance also will help you convince bank examiners that your IT security efforts are adequate.

Comments

Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.



 Image

OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment



OnCourse Staff's Posts Subscribe to RSS Feed



New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
The Credit -- Er, IT Crisis?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
Wag the Dog
Consumerization of Technology and its influence on Information Security
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
Allowance for Loan Loss Tips and Tricks
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why P&G Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA