US Govt releases bank security guidance

The long-awaited update to the US Federal Financial Institutions Examination Council (FFIEC) guidelines around authentication has been released.

The supplement (pdf) specifically speaks to the widespread scourge of corporate bank account takeovers.

Over the last several years, US organisations have lost hundreds of millions of dollars because their accounts were hijacked by adversaries to steal funds by initiating fraudulent ACH transactions or wire transfers.

The guidance directs financial institutions conducting "high-risk transactions" to implement a layered security approach to mitigate the threat.

"Layered security is characterised by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control," the supplement says.

Options include implementing fraud detection and monitoring systems to flag suspicious transactions; dual customer authorisation, meaning two employees have to sign off on a transaction before it can be completed; out-of-band verification, in which the bank directly asks the customer if they OK the transaction, and "positive pay," a process by which customers send banks an approved list of payees.

"Airport security very rapidly evolved after 9/11," said Tim Sutton, CEO of PhoneFactor, which makes technology that verifies transactions through automated phone calls.

"We expect the same transformation to occur with online banking. In a relatively short period of time, we will no longer be able to bank online by simply entering a username and password."

Gartner vice president Avivah Litan said the amended guidelines will go a long way to educating banks that no single method can be trusted.

"If everyone implemented it today, I really do think it would prevent most of the fraud in the online channel," she said.

"If you really use the layered security approach and stay progressive, you can keep most of the hackers out. Most don't have the capabilities to get through all of those layers."

The guidance poked holes in trusted multi-factor authentication techniques, such as challenge questions and device identification, which can do little to stop an attacker who performs simple internet searching or uses advanced malware to take control of a victim's browser.

Meanwhile, the guidance also instructs banks to institute user awareness programs for both consumers and business customers. In almost all cases of corporate bank account takeover, the attackers do not infiltrate the bank's network, but instead target the individual business.

Doug Johnson, vice president of risk management policy at the American Bankers Association, which represents institutions that hold about 95 percent of US banking assets, said many of its largest members already should have the recommended controls in place.

The smaller, community banks must implement the most change, as will the third-party providers that many banks rely on to host their online portals, Johnson said.

But he said he hasn't heard much complaining, and members were pleased to see the guidance move away from a focus on two-factor authentication- as was contained in the draft - to a concentration in the final version on more cost-friendly, and possibly more effective, controls.

"We tend to love the bells and whistles, when sometimes the standard blocking and tackling can actually save the day," Johnson said.

Aite Group senior fraud and risk analyst Julie McNelley said it is helpful when guidance does not recommend specific solutions.

"If you say you have to deploy X, Y and Z technologies, you're giving the attackers a road map of defenses to breach," she said.

Still, experts interviewed said the guidance failed to address other areas within the banking environment that could see upticks in fraud, including call centers and mobile devices.

"Hopefully we don't have to wait six years for these to get updated again," McNelley said.

This article originally appeared at scmagazineus.com