Friday, April 19, 2019

IT security: Is your program still effective?

Posted by OnCourse Staff January 5, 2012 3:00pm

Photo Credit: BankWire

As online banking services become more sophisticated and more widely used, IT security measures that were effective only a few years ago may no longer be enough. In June 2011, the FFIEC issued Supplement to Authentication in an Internet Banking Environment, urging banks to tighten their controls on customer authentication. The FFIEC chose to revisit guidance originally issued in 2005 because common authentication methods and controls have “become less effective” in an “increasingly hostile online environment.” In light of the updated guidance, your bank should conduct an IT risk assessment and, if needed, implement more-complex customer authentication procedures as well as extra layers of protection.

Hackers increasingly sophisticated

Many banks responded to the 2005 guidance by implementing simple authentication procedures. But the FFIEC now recognizes that these techniques are insufficient to thwart today’s hackers. For example, a bank might load a “cookie” onto a customer’s computer to confirm that the username and password match the computer originally used to enroll the customer. But today hackers can easily copy these cookies to their own computers and then use them to impersonate the customer. A more effective approach is to use more complex device identification techniques, which use “onetime” cookies to confirm not only the computer’s configuration, but also its IP address, location and other characteristics.

Simple “challenge” questions also are vulnerable, because hackers can easily learn the answers — such as the customer’s mother’s maiden name or the street where the customer grew up — with a little research. A better approach is to 1) design challenge questions based on nonpublic information, 2) include “red herring” questions that will trip up hackers but that customers will recognize as nonsensical, and 3) set up multiple challenge questions and use different sets of questions in each online banking session.

Layered security offers more protection

It’s no longer sufficient to rely on one form of customer authentication, according to the FFIEC. The supplementary guidance recommends “layered security,” which means different controls at different points in6 the transaction process. This allows the strength of one control to compensate for weaknesses in other controls.

The number of layers depends on the level of risk. According to the FFIEC, for example, commercial customers generally present more risk than retail customers. That’s because commercial customers tend to conduct more frequent transactions in higher dollar amounts and make more use of ACH file origination and interbank wire transfers. One of the most effective layering strategies is “out-of-band” authentication of high-risk transactions. In other words, a transaction initiated through one channel — the Internet, for instance — must be verified or reauthenticated through another channel, such as the telephone. Once a transaction has been authenticated by a customer via computer, for example, some banks require the customer to input a code sent by text message to the customer’s cell phone. These measures are important because even multiple authentications via the same device are vulnerable to attack. Consider key logging malware. These software programs, which can be installed by visiting an infected website or downloading an e-mail attachment, record a customer’s computer keystrokes and transmit them over the Internet to a hacker.

Because the malware can be used to steal a customer’s logon ID and password, as well as the answers to challenge questions, it can overcome dual authentication strategies. Out-of-band authentication makes this far more difficult. Antimalware software can provide an additional layer of protection. Like antivirus software, these programs help prevent, detect and remove malware before a hacker has a chance to use it.

Regulators call for other controls

The new guidance also recommends these tools and tactics:

  • Fraud monitoring and detection systems, which alert the bank to anomalies based on a customer’s history and behavior patterns,
  • Positive pay, which limits check payment to those on a preapproved list supplied by the customer,
  • Transaction limits (on transaction value, payment recipients or number of transactions per day),
  • Payment windows, which restrict payments to certain days and times
  • Read-only USB devices that customers plug into their computers to create a secure channel directly to the bank’s servers and that aren’t susceptible to malware.
It’s also important to show customers how to protect themselves. Banks should educate customers on, for example, how to select an effective password, whom to contact in case of suspicious activity, and the circumstances under which the bank might request the customer’s authentication information.

Get with the program

To ensure that your bank’s IT security program continues to be effective in the current environment, conduct periodic risk assessments and enhance your controls and customer education efforts as needed. Implementing the FFIEC’s supplementary guidance also will help you convince bank examiners that your IT security efforts are adequate.


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
Does your 401(k) Plan need an Audit?
Same Day ACH Credits – Phase One
Is the IRS Status of your Defined Benefit plan in Jeopardy?
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
The Importance of BSA Training
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
Electronic Work Papers - Why P&G Made the Switch
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
The Test Drive: Leasing or Buying a HR IT Platform
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Another One Bites the Dust: Regulators Close 4 Banks
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Law on Your Side: Understanding HR Regulations in 2011
No Respite from RESPA