September 23, 2011

In June 2011, the Federal Financial Institutions Examination Council published its “Supplement to Authentication in an Internet Banking Environment.” This supplement represents the long-awaited update to the organization’s authentication guidelines, first published in 2005.

Written for financial services organizations that offer Internet-based products and services to their customers, these authentication guidelines represent a critical framework for promoting security in e-banking. The supplement underscores the need for financial institutions to perform risk assessment and implement strategies for addressing the risks identified. In addition, it stresses the need to raise customer awareness of the potential risks in e-banking. In January 2012, FFIEC examiners will be formally assessing financial institutions’ adherence to these new guidelines.

The following checklist outlines some of the fundamental requirements of the new supplement, and offers key questions that security teams should consider as they set out to address these guidelines—and most effectively strengthen their organization’s security posture.

Risk Level

Goal: To address transaction threat models by effectively aligning the authentication strategy with the needs of banking customers and the level of risk associated with customers’ transactions.

• Are there mechanisms in place that effectively guard against man-in-the-browser and man-in-the middle attacks, as well as advanced persistent threats?
• Do the authentication perimeters in place accommodate increased online transactions and services, while ensuring optimal protection?
• Do the authentication measures in place appropriately map to the use case and risk level, so they don’t have a negative impact on the user experience?
• Are the cryptographic keys at the heart of the e-banking application adequately protected against theft or manipulation?

Assessment

Goal: To ensure systems and policies are in place that enable frequent auditing and monitoring of the e-banking environment.

• Are audits being conducted on a consistent basis, multiple times a year?
• Is a management system in place to validate the authentication of users trying to conduct online transactions? 
• Is there a centralized system for administering the complex, heterogeneous e-banking environment that will accommodate frequent and expedited system assessments?
• Are policies in place to control who is allowed administrative and operational access to authentication systems, as well as to enforce policies surrounding transaction frequency and time-of-day restrictions?

Layered Security

Goal: To build an e-banking infrastructure that protects not only the identity but also the transaction and that is adaptable to evolving business needs and threat models.

• Does the authentication verification mechanism map to the transaction being conducted and the associated risk level?
• Is there a secure system in place that protects the application itself, and that verifies the transaction and identities of users?
• Are multiple mechanisms in place to validate and safeguard the entire transaction, from transaction request through to transaction processing and data storage?
• Are the cryptographic keys used to validate the transaction being protected in hardware?

Financial services institutions will be well served by leveraging the core concepts found in the FFIEC’s supplementary authentication guidelines for e-banking. Principles in the supplement, such as adopting a multi-layered security approach and aligning authentication methods with the level of risk, represent solid best practices that form the basis of a well-conceived security infrastructure. However, these principles need to be interpreted and implemented within the context of dynamic banking environments and evolving threat landscapes. Consequently, financial services institutions need to build agility and optimal security into their infrastructures, so they can go beyond current guidelines and ensure they are well-protected against emerging threats.

Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet.