The FFIEC (Federal Institutions Examination Council) issues guidelines for online banking which is followed by all the major regulatory agencies such as the FDIC, OCC, OTS, NCUAA and others. If you don't know who the FFIEC is then you probably wont find this article very interesting. If you do know who the FFIEC is, then you are probably aware the FFIEC has just released (June 28th) new guidance for financial institutions regarding Authentication in an Internet Banking Environment. This article discusses the new guidance and offers some insight on the supplement.
GUIDANCE OVERDUE
This new supplement is the first update since October 2005. In Internet time 6 years is the equivalent of a lifetime, so some new guidance was long overdue. Since then the threat level has significantly increased with the sophistication of the attacks reaching a very high level of advancement (Think Zeus or the software hacking kits now available to the less talented hackers). The hackers have also become organized crime gangs that work together to sell credentials and share technology. The number of online users has also significantly increased since 2005 with online banking having gained major acceptance which increases the threat pool size. Additionally, the type of devices or channels such as smart phones and tablets did not even exist in 2005. The iPhone was not even released until June 2007 followed by the iPad in Jan, 2010 which started the revolution.
WHAT DOES THE NEW SUPPLEMENT SAY
The 12 page supplement offers the increased threat level as the reason for the update discussing organized crime groups, root kits and malware. I do find amusing the understated sentence:
The Agencies are concerned that customer authentication methods and controls implemented in conformance with the Guidance several years ago have become less effective.Less effective should be changed to nearly useless. The document also fails to mention mobile banking or any of the new devices as a concern.
The new guidance reiterates the importance of performing a risk assessment and updating it when new information becomes available, when implementing new electronic financial services or at least once a year.
As a part of the risk assessment the FFIEC expresses particular concern over business/commercial banking due to the higher use of ACH and Inter-Bank transfers along with higher frequency and dollar amounts. There is a specific recommendation to use multi-factor authentication for business banking.
Not only is the risk assessment critical to identifying the threats, risks and controls but it is the key to understanding where a bank should spend their money. Given the high volumes of transactions a great part of the science and art of implementing new security technology is where and when to apply it. Too much and it can be very expensive. Too little and you can compromise your controls and render it ineffective. These are the hardest decisions to get right when enforcing security policy.
The guidance goes on to discuss the benefits of layered security, enforcing the idea that putting up a big steel front door as a complete security solution as flawed. It specifies that a layered program must contain at a minimum the ability to detect and monitor to suspicious activity and control of administrative functions.
I think they do a really good job here of pointing out that they have looked in depth at numerous previous incidents and determined that much of it could have been prevented by simply applying existing technology that would have flagged and stopped many ACH\WIre transactions as anamolous. I realize that they would never dare to make an estimate on how many or much this one control could have prevented or saved. It could provide benefit to all of us to have an idea.
This is true for many other controls as well. While the level of attacks has become more sophisticated many attacks would not have succeeded had some additional basic controls be put in place.
The supplement goes on to discuss the effectiveness of certain authentication techniques. It rightfully calls out the obvious that using a cookie to stamp a device as verified as inadequate since the cookie can easily be copied. The recommendation here is to use more sophisticated device identification as signatures.
Challenge questions are also addressed as ineffective especially as a back door for some forgot password or similar scenario. These type of questions can be compromised by the same keyloggers that capture authentication credentials or be easily defeated by someone who knows the target or is easily discovered online through social media or other sources. The "Out of Wallet" questions are offered as an alternative which typically uses credit or other less available data to construct questions. While this is more difficult it is also easily defeated by anyone willing to pay for the data. The best part of this for me would be the elimination of the silly and irritating questions that you are forced to answer by almost all banks. It backs up my long standing complaint that this only enhances the appearances of security while providing little benefit to the user and actually inflicts pain instead. Could those silly questions finally go away someday?
The guidance ends with a discussion on a customer awareness and education program. What stood out here for me in this section was that the financial institution suggest to its commercial customers to conduct their own risk assessments. For most small to medium businesses this is not practical. Most people do not know how to conduct a risk assessment or have the time. Maybe a clever bank could come up with an online simplified process to walk then through some questions to make it feasible.
THE APPENDIX
The most interesting part is the Appendix which provides narratives on the threats and potential controls that are available today. Here they further discuss transaction monitoring capability, out of band authentication, malware and layered security. While interesting I would hope that the risks and controls discussed in this section are not news to any of the security people at the bank.
Opinion
Overall I would give the new guidance a B. They loose a grade alone for not at least mentioning mobile banking and the new devices. They also waited way too long to provide guidance since so much has changed.
But that is not the important part. I believe that the guidance is often misunderstood as to its purpose. I use the word purpose because it is the first section in the document. I often read and hear that it does not go far enough in providing more guidance, discussing the threats or recommending controls. I have heard the comment many times that regulators will tell you a control is inadequate but won't tell you what you should do to fix it.
I believe the intent is to only provide high level guidance and not to recommend specific solutions or hard requirements. And lets face it, they couldn't do that if they wanted since there is no single answer and every situation is different. Any in depth details would quickly become obsolete since the threat and technology changes so quickly.
Given that criteria, I believe the new guidance does a good job of providing guidance and increasing the expected level of security in future audits.
Most importantly, I would argue that any financial institution that relies on this guidance as a basis for a security strategy is in trouble. An institution must take it on itself through hiring or security consulting experts to guide the strategy and implementation. I see too many banks satisfied that they are meeting the 2005 guidelines.
As mentioned before, I believe that the FFIEC waited way too long in releasing an update. Not only because even high level guidance can quickly become obsolete but because it sends a message in apathy. If a bank must perform a security assessment once a year then the guidance should be updated at least once a year. Doesn't hacking present a threat to our commerce and therefore our economy?(check out link at end about viruses have become new 21st century weapon) Why give the banks any additional reasons to delay strengthening their security?
You can read the new FFIEC guidlines here
Scary story about viruses as the new 21st century weapon
No comments:
Post a Comment