As online banking services become more sophisticated and more widely used, IT security measures that were effective only a few years ago may no longer be enough. In June 2011, the FFIEC issued Supplement to Authentication in an Internet Banking Environment, urging banks to tighten their controls on customer authentication. The FFIEC chose to revisit guidance originally issued in 2005 because common authentication methods and controls have “become less effective” in an “increasingly hostile online environment.” In light of the updated guidance, your bank should conduct an IT risk assessment and, if needed, implement more-complex customer authentication procedures as well as extra layers of protection.
Hackers increasingly sophisticated
Many banks responded to the 2005 guidance by implementing simple authentication procedures. But the FFIEC now recognizes that these techniques are insufficient to thwart today’s hackers. For example, a bank might load a “cookie” onto a customer’s computer to confirm that the username and password match the computer originally used to enroll the customer. But today hackers can easily copy these cookies to their own computers and then use them to impersonate the customer. A more effective approach is to use more complex device identification techniques, which use “onetime” cookies to confirm not only the computer’s configuration, but also its IP address, location and other characteristics.
Simple “challenge” questions also are vulnerable, because hackers can easily learn the answers — such as the customer’s mother’s maiden name or the street where the customer grew up — with a little research. A better approach is to 1) design challenge questions based on nonpublic information, 2) include “red herring” questions that will trip up hackers but that customers will recognize as nonsensical, and 3) set up multiple challenge questions and use different sets of questions in each online banking session.
Layered security offers more protection
It’s no longer sufficient to rely on one form of customer authentication, according to the FFIEC. The supplementary guidance recommends “layered security,” which means different controls at different points in6 the transaction process. This allows the strength of one control to compensate for weaknesses in other controls.
The number of layers depends on the level of risk. According to the FFIEC, for example, commercial customers generally present more risk than retail customers. That’s because commercial customers tend to conduct more frequent transactions in higher dollar amounts and make more use of ACH file origination and interbank wire transfers. One of the most effective layering strategies is “out-of-band” authentication of high-risk transactions. In other words, a transaction initiated through one channel — the Internet, for instance — must be verified or reauthenticated through another channel, such as the telephone. Once a transaction has been authenticated by a customer via computer, for example, some banks require the customer to input a code sent by text message to the customer’s cell phone. These measures are important because even multiple authentications via the same device are vulnerable to attack. Consider key logging malware. These software programs, which can be installed by visiting an infected website or downloading an e-mail attachment, record a customer’s computer keystrokes and transmit them over the Internet to a hacker.
Because the malware can be used to steal a customer’s logon ID and password, as well as the answers to challenge questions, it can overcome dual authentication strategies. Out-of-band authentication makes this far more difficult. Antimalware software can provide an additional layer of protection. Like antivirus software, these programs help prevent, detect and remove malware before a hacker has a chance to use it.
Regulators call for other controls
The new guidance also recommends these tools and tactics:
Get with the program
To ensure that your bank’s IT security program continues to be effective in the current environment, conduct periodic risk assessments and enhance your controls and customer education efforts as needed. Implementing the FFIEC’s supplementary guidance also will help you convince bank examiners that your IT security efforts are adequate.
The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment