Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.
The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.
The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments, to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.
“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”
The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:
-methods for detecting transaction anomalies;
-dual transaction authorization through different access devices;
-the use of out-of-band verification for transactions;
-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;
-”enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and
-”enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”
The FFIEC said that, at a minimum, a layered security program should be designed to detect strange or unusual behavior when the customer is logging in to the system, and when initiating electronic transfers to third parties. One pattern of activity that was common in almost every corporate account takeover I’ve written about has been the addition of multiple new “employees” to the victim organization’s payroll account prior to fraudulent transfers.
“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”
Avivah Litan, a fraud analyst at Gartner Inc., said the guidance is silent on the role of bank service providers like Fiserv, Jack Henry and Digital Insight. Most smaller institutions outsource a portion – if not all – of the oversight of their customers’ daily transactions to one of about a dozen third-party service providers. Many of these providers have been criticized for being slow to offer or market services that would let banks detect the types of transaction anomalies described by the FFIEC.
Litan estimates that between 70 and 80 percent of banking institutions in the United States outsource at least some of their visibility into customer transactions to service providers.
“If you’re a small bank that has outsourced most of this to a service provider, what are you supposed to do, demand that the provider implement these guidelines?” Litan asked. “What’s worse is that the [FFIEC guidelines] haven’t been aggressively enforced by the examiners at the service provider level, and the service providers need to be front and center in the spotlight.”
Litan said it was good that the FFIEC said banks should not rely solely on technologies and approaches that have shown to be particularly ineffective against today’s malware, such as “challenge questions” and methods designed to profile the customer’s computer by using some unique identifier. But she said it was disappointing that the regulators didn’t discourage banks from using these technologies altogether.
“This is a political document — it’s very wish-washy — you can tell they’re trying to balance the demands of the banking lobbyists and protect the safety of accounts,” Litan said. “But they got the overall principles right: banks should perform regular risk assessments, adopt a layered approach, and look for anomalous activity and not expect their customers to spot that.”
Sari Greene, president of South Portland, Maine consultancy Sage Data Security, said the guidelines may seem like common sense no-brainers to security experts.
“I think you have to frame the discussion of what’s in this document in the context of its intended audience, which is folks in the banking community and risk management at those institutions,” Greene said. “To that end, I think it does a pretty good job of delivering the message that this is a cat-and-mouse game and you have to be continually reassessing the risk.”
Although the 2005 guidance required banks to conduct only “periodic” risk assessments, Greene said, this updated document says institutions must reassess whether their security is adequate whenever they offer new electronic banking services, when substantially new threats arise, or at least every 12 months.
Greene said the updated guidance doesn’t give a free pass to banks that outsource security to service providers. “I think the guidance speaks to the notion that you can use service providers, but that the onus is still on you, the institution, to absorb the risk for those transactions,” she said.
Greene added that the most important part of the FFIEC’s guidelines is that bank examiners will have more leverage in deciding whether financial institutions are doing enough to protect their customers.
“The important thing is the ammunition they’re giving to bank examiners,” Greene said. “Those examiners now have a lot more information to work with when doing their exams and holding banks accountable.”