New Authentication Guidance Coming?

Credit EligibleAs a CUInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

July 12, 2010 - Linda McGlasson, Managing Editor

Troubled by the past year's trend of corporate account takeovers, federal banking regulators are now discussing new guidance for online banking authentication.

Sources within the agencies confirm that a subgroup of the Federal Financial Institutions Examinations Council is currently looking at amending its 2005 strong authentication guidance. But there are no solid indications of when the new guidance might be issued or what it will include.

In anticipation of this new guidance, industry experts offer their assessments of what's right and wrong with the current authentication guidance, as well as what should be expected from the new.

'Badly Misinterpreted'

When it was first revised five years ago, the FFIEC guidance was "badly misinterpreted" by the industry, according to George Tubin, an analyst at Tower Group. "Everyone read multifactor authentication and thought that was the only thing that mattered."

Among the topics covered in the 2005 guidance:

• Customer Account Authentication -- Where the risk assessment indicates that the use of single-factor authentication is inadequate for the types of services period, institutions should employ multifactor authentication, layered security or other controls.
• Monitoring and Reporting -- Institutions should have policies and procedures in place that adequately monitor the system access. If they detect unauthorized access to applications and members' accounts, they must report to local law enforcement.
• Customer Awareness -- Customer education is critical in terms of reducing account fraud and identity theft. Institutions should implement a customer awareness program and evaluate current education efforts to determine if additional steps are necessary.

Some analysts believe the existing guidance already contains the core elements necessary to protect online transactions. Namely, banking institutions should assess the risks for their electronic banking applications and channels and implement controls commensurate with those risks.

"The problem is that the guidance the FFIEC issued was confusing because they talked a lot about multifactor authentication and Internet banking only, as opposed to all electronic banking," says Avivah Litan, an analyst at Gartner Group. suggests the FFIEC needs to issue an FAQ and restate "the good, core principals of their guidance."

Security and privacy expert Rebecca Herold says that there need to be more detailed instructions, making for easy comprehension and examples. "The guidance that was provided made sense," she says, "but it was too high-level for many small to medium sized banks to be able to actually implement with their lack of staff and expertise available to do such implementations."

Needed: Non-Prescriptive Approach

Security experts agree that it is best for regulators to stay out of the business of prescribing specific technologies or approaches. According to Tom Wills, a senior analyst at Javelin Strategy and Research, a "non-prescriptive" approach is best. The reason: Regulators, by nature, are always going to be behind the curve in enacting mandatory security controls.

The 2005 FFIEC guidance was basically obsolete by the time it was widely implemented, Wills says, and new attacks will continue to evolve at lightning speed compared to the "snail's pace" at which regulators work.

"A voluntary approach by the banks, based on total risk management, would be the most effective way to assure the security of online banking," Wills says. "I think the regulators should focus more on assigning liabilities than prescribing technical controls."

In the end, a non-prescriptive approach may be the only solution that regulators could offer financial institutions because of the wide range of sizes and sophistication among the thousands of banks and credit unions in the country. The idea of "one-size-fits-all" doesn't work well in the financial services industry, says David Navetta, an attorney specializing in information security and privacy law.

Faces of Authentication

The protection of online banking accounts is best done by using a layered approach to authentication. This approach is only just beginning to be seen in the marketplace, says Javelin's Wills. The layered approach to authentication should build on the FFIEC minimum of user name and password plus an additional factor that can include the following approaches: