Subscribe Advertise
Go to Preview
Login for full Magazine

May 2012 – Vol. 35 No. 5

Articles Header

  • General Management

  • Board

  • Human Resources

  • Operations

  • Marketing

  • In Every Issue

Columns Header
E-Newsletters Header
Archives Header
On Compliance
On Compliance: Is the FFIEC E-Banking Guidance Enough?
September 2011 – Vol: 34 No. 9
by Andrew Young

The principles established are good ones and yet more can be done to protect your CU and its members.

September 22, 2011

Credit Union Management magazine’s Web-only “On Compliance” column runs the fourth Thursday of each month.

As attacks targeting online banking applications grow more sophisticated and more frequent, financial institutions need to strengthen their defenses. In response to these changing demands, the Federal Financial Institutions Examination Council released revised security guidelines for secure banking authentication on June 28.

Given the frequency of breaches making headlines, it’s clear that, as consumers, none of us is immune. The risks grow for high-wealth consumers and corporate banking accounts, whose large resources and transaction volumes make them even more lucrative, and thus frequent targets for criminals. Given the increase in malware and high-profile breaches, it is worth assessing the FFIEC guidelines to ensure your credit union is covered.

What the FFIEC guidance covers:

In its “Supplement to Authentication in an Internet Banking Environment,”the FFIEC addresses two very important issues.

First, the agencies have established that not all banking customers are created equal. Financial services customers are quite diverse in both profile and activity, which results in varying risk levels and threat vectors, and thus the FFIEC sets out its requirement for establishing different risk mitigation approaches and protection methods based on different customer activities and risk levels.  

Second, the FFIEC’s recent supplement addresses--in theory--the proper security strategy and scheme to combat advancing threats and fraud – a layered security approach. By approaching security in layers, financial organizations can align their protection so that if hackers manage to find vulnerabilities in one of the authentication methods, there can be, in most cases, other methods that serve to protect customers, even if one layer is breached.

What the FFIEC guidance doesn’t cover:

While the FFIEC guidelines are an important step in the right direction, they still do not provide solid risk mitigation options for man-in-the-browser attacks.  MitB attacks appeared on the radar of the banking industry in late 2009, almost two years ago, and this attack is still going strong today. To guard against MitB and man-in-the-middle attacks, businesses should deploy transaction security mechanisms for ensuring that users conducting transactions are, in fact, who they claim to be.

As a first line of defense, strong, multi-factor authentication is a critical requirement for verifying users’ identities before they can access financial services portals. Once users have been authenticated, additional safeguards need to be employed before transactions are conducted. Even if the identity of a user is validated, the transaction that ultimately is executed may still be unauthorized or fraudulent.

In addition, the updated FFIEC regulations speak more in concept and guiding principle, remaining on the surface of the real challenges faced by financial institutions today. This may create confusion for security officers looking for definitive answers.  An example of this: The FFIEC guidance lacks detail around specific attack vectors. More detail is provided for attack vectors and mandated as part of the PCI-DSS Security Council requirements.  While the new FFIEC document may help financial organizations get a good view of the “forest,” they need the view of the “trees” as well, if they are to effectively plan a security strategy in today’s extremely complex and threat-heavy environment.

Another area of concern that is not currently covered by the latest FFIEC guidelines is how to best address virtual environments. This is especially important to small and regional community banks that cater mainly to businesses, which tend to have high risk profiles and intense security requirements, compared to consumer clientele. These financial institutions often use service providers or a cloud-based approach for their e-banking services. With the wide deployment of cloud and virtualized infrastructures, including guidance similar to the recently released PCI-DSS 2.0 Virtualization Guidelines, would be valuable to financial services organizations as well.  

Best Practices Plus
Financial services organizations will be well-served by leveraging the core concepts found in the FFIEC’s supplementary authentication guidelines. Principles covered in the supplement, such as adopting a multi-layered security approach and aligning authentication methods with the level of risk, represent solid best practices that form the basis of a well-conceived security strategy.  

However, these principles need to be interpreted and implemented within the context of dynamic banking environments and evolving threat landscapes. Consequently, financial services institutions should look to build agility and optimal security strategies and schemes, so they can go beyond guidelines to ensure that they are well-protected against emerging threats and future business and user demands.

Andrew Young is VP/product management at SafeNet. He is responsible for setting the strategic direction of SafeNet’s commercial and government-related authentication products.

 

There are errors, please see below for details.

Your name:

 

Your e-mail Address:

 

Recipient's e-mail Address:

 

Subject:

 

Message:

 
Send