Industry Update: New FFIEC Guidance – The Need for Improved Data Security

By John Rostern, Managing Director, Coalfire

The FFIEC recently released supplemental, updated guidance to the Authentication in an Internet Banking Environment (released in October 2005).  The new guidance will go into effect for regulatory audits beginning in January 2012. The supplement re-emphasizes the 2005 expectations for an improved and periodic risk assessment process.  It is noted that risk assessments should include regular reviews of systems and controls with respect to their ability to mitigate established threats such as malware and how changes in functionality may impact the risk profile.  This includes recommendations for the actual analysis of security breaches, identity theft or other frauds.

The update addresses the need for improved security and fraud awareness for both customers and employees.  There is particular differentiation between commercial and consumer accounts and an emphasis on the need for improved customer education for commercial account holders.  This is critical given the fact that fraud risk to commercial accounts is not mitigated by regulation (Reg E) and that many SMB account holders do not have organic information security capabilities.  Therefore both the vulnerability and potential exposure for these account holders is higher than for both consumers and large commercial enterprises.

What does the new guidance recommend?
As part of the recommended layered security approach, the guidance encourages the use of multifactor authentication and the need for improved device authentication and protection.  This is in line with best practices already implemented at many larger institutions and will provide an impetus for wider adoption.  The issues around the challenge questions implemented to provide a second factor under the original 2005 guidance have also been enumerated.  With the spread of social networking and the general availability of much of the basic information used in these challenge questions, it is recommended that either stronger challenge questions or another type of second factor be used.

High on the list of candidates for a second factor is out-of-band authentication where a one-time use passcode is transmitted to an alternate device, (i.e. SMS text to a registered cell phone).  Unfortunately this approach has already been shown to be vulnerable to compromise in a Man in the Browser (MitB) attack and would have limited utility in a mobile banking scenario since there typically would be no device independence.  It is suggested that transaction-, as opposed to session-level authentication using a second factor may provide a solution that would fit both mobile and traditional Internet banking.

The supplement specifically outlines that the concept of authentication is broad and institutions should consider more than just the point at which the customer initially logs into a session.  A compelling argument for transaction-level authentication is the increase in social engineering attacks that compromise the user’s browser, allowing attackers to leverage established sessions to perform transactions, including financial transactions.  Authentication risks should be key considerations in the risk assessment process and layered security approach that should include a more modular authentication methodology.

In lieu of establishing a second factor at the application level, process-based controls may provide additional security for certain transactions.  For example, requiring the customer to call the bank to approve ACH transactions above a certain threshold or cumulative daily limit would add an ‘out of band’ control that is also divorced from the automated portion of the transaction.  This sort of positive confirmation can be easily implemented on a customer by customer basis, but would potentially require additional human resources at some institutions.

How does the new guidance address mobile banking?
Unfortunately the guidance does not adequately address the single largest growth area for transactions – mobile banking.  While policy analysts at the FDIC have opined that the guidance applies equally to mobile devices, the new guidance fails to address the additional risks associated with mobile devices.  With the evolution of mobile banking to support transactions as opposed to just inquiry, the underlying security issues associated with mobile devices becomes a much greater risk factor.  The initial text banking implementations did not require that credentials be shared.  As mobile banking has evolved to include both browser- and app-based variants, the security of the underlying smartphone operating systems has become critical.  With online transaction capabilities already deployed by many institutions and the prospective boom in mobile payments, the risk profile will change dramatically in the near future.

Lastly, the new guidance discusses the need for improved fraud detection through what is effectively continuous controls monitoring.  The type of heuristic monitoring that is advocated would provide for alerting in the event of ‘abnormal’ activity.  This type of exception-based reporting is viable as part of an overall security monitoring program, but it may not be practical to expect institutions of all sizes to implement this type of control in a consistent manner.

The revisions to the authentication standard will advance the state of regulatory guidance and provides the basis for improved, risk-based security at financial institutions.  The challenges faced by the regulators are daunting in that the state of technology and the associated threat environment is evolving at a much faster pace than the regulatory calendar.  Finally, as regulators begin to use the supplemental guidance provided by the FFIEC in their examinations, financial institutions should ensure that the authentication controls that have been implemented are well documented and aligned with a formal risk assessment that is updated periodically