June 29, 2011

Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.

The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.

The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.

“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”

The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:

-methods for detecting transaction anomalies;

-dual transaction authorization through different access devices;

-the use of out-of-band verification for transactions;

-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;

-“enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and

-“enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”

The FFIEC said that, at a minimum, a layered security program should be designed to detect strange or unusual behavior when the customer is logging in to the system, and when initiating electronic transfers to third parties. One pattern of activity that was common in almost every corporate account takeover I’ve written about has been the addition of multiple new “employees” to the victim organization’s payroll account prior to fraudulent transfers.

“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”

Avivah Litan, a fraud analyst at Gartner Inc., said the guidance is silent on the role of bank service providers like Fiserv, Jack Henry and Digital Insight. Most smaller institutions outsource a portion – if not all – of the oversight of their customers’ daily transactions to one of about a dozen third-party service providers. Many of these providers have been criticized for being slow to offer or market services that would let banks detect the types of transaction anomalies described by the FFIEC.

Litan estimates that between 70 and 80 percent of banking institutions in the United States outsource at least some of their visibility into customer transactions to service providers.

“If you’re a small bank that has outsourced most of this to a service provider, what are you supposed to do, demand that the provider implement these guidelines?” Litan asked. “What’s worse is that the [FFIEC guidelines] haven’t been aggressively enforced by the examiners at the service provider level, and the service providers need to be front and center in the spotlight.”

Litan said it was good that the FFIEC said banks should not rely solely on technologies and approaches that have shown to be particularly ineffective against today’s malware, such as “challenge questions” and methods designed to profile the customer’s computer by using some unique identifier. But she said it was disappointing that the regulators didn’t discourage banks from using these technologies altogether.

“This is a political document — it’s very wish-washy — you can tell they’re trying to balance the demands of the banking lobbyists and protect the safety of accounts,” Litan said. “But they got the overall principles right: banks should perform regular risk assessments, adopt a layered approach, and look for anomalous activity and not expect their customers to spot that.”

Sari Greene, president of South Portland, Maine consultancy Sage Data Security, said the guidelines may seem like common sense no-brainers to security experts.

“I think you have to frame the discussion of what’s in this document in the context of its intended audience, which is folks in the banking community and risk management at those institutions,” Greene said. “To that end, I think it does a pretty good job of delivering the message that this is a cat-and-mouse game and you have to be continually reassessing the risk.”

Although the 2005 guidance required banks to conduct only “periodic” risk assessments, Greene said, this updated document says institutions must reassess whether their security is adequate whenever they offer new electronic banking services, when substantially new threats arise, or at least every 12 months.

Greene said the updated guidance doesn’t give a free pass to banks that outsource security to service providers. “I think the guidance speaks to the notion that you can use service providers, but that the onus is still on you, the institution, to absorb the risk for those transactions,” she said.

Greene added that the most important part of the FFIEC’s guidelines is that bank examiners will have more leverage in deciding whether financial institutions are doing enough to protect their customers.

“The important thing is the ammunition they’re giving to bank examiners,” Greene said. “Those examiners now have a lot more information to work with when doing their exams and holding banks accountable.”


26 thoughts on “Regulators Issue Updated eBanking Security Guidelines

  1. Louis Leahy

    When we tried to put our solution before the American Banking Association for their members to consider their suggestion was that we pay them $30,000. As a small start-up we could not possibly justify such expenditure. Given they have erected such barriers to communications it is unsurprising that their industry is failing to identify new technologies to assist in meeting the increasing regulatory and compliance obligations being imposed necessarily to try to protect unsuspecting consumers.

  2. emv x man

    Too little, too late… when will we wake up to the fact that the only thing that drives bankers is the size of their bonuses (summed up as too much, too soon).

  3. Kim Bruck

    Validation of the actual transactions in the ACH file is KEY – monitoring users, behavior cannot detect if the file has been manipulated. The fraudsters are “watching” corporates and able to beat the behavior monitoring.

    ACH ALERT offers the ONLY product (patent pending) that is doing this!

    1. Yar

      While validating the batches at a transaction level is one effective layer of security, it is not the only effective solution. There are also several other vendors which already do this, but your shameless plug is noted.

  4. John

    What we have here is a joke of a document. It does not really address the issue. I guess the sad part is it takes a government issued document to get banks to do what I have been preaching for years. But my favorite line is:
    “The important thing is the ammunition they’re giving to bank examiners,” Greene said. “Those examiners now have a lot more information to work with when doing their exams and holding banks accountable.”
    Really. Examiners have no clue about technology. That has been part of the problem.

    1. Helly

      I also found it interesting that they provided no specific time by which this needs to be implemented. So how are examiners going to hold a bank responsible when its unclear when this must be implemented by?

      My hope though is that by clearing up some definitions and providing better clarity they are providing a better framework for law suits from compromised customers. Not that I agree with a litigious society necessarily, but it does provide banks with a financial incentive to push beyond vague guidance.

      1. Sari Greene

        Helly,

        In the accompanying memo cited January 2012 for enforcement.
        http://www.fdic.gov/news/news/press/2011/pr11111.html

        “The FFIEC member agencies will continue to work closely with financial institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012. “

      2. time2bsmart

        One of the most difficult things for a financial institution to do it make customers take care of and be aware of security issues. Customers regularly decide it isn’t important to even do something as simple as change a password frequently or keep information secure and then the financial institution is supposed to make things secure for them. Some of these things will happen no matter how secure things are because criminals keep working at it, but sometimes you cannot protect people from themselves when they aren’t security conscious.

    2. Sari Greene

      John

      This isn’t about technology per se. It is about setting the expectation that institutions will be held responsibile for continually reassessing the environment and that they must have multiple layers of controls including (but not limited to) authentication, authorization, monitoring and customer education.( The previous guidence only focused on authentication.)

      Sari

      Sari

  5. KathyB

    The bank where I work (small community-based bank) doesn’t automatically process ACH requests received online. Every request is reviewed by an employee in Operations prior to processing and the customer contacted if there is a question. We have had a few business customers infected by ZeuS however not a single cent has been lost since our Ops personnel are on the ball and managed to thwart attempts to rob our customers. If ZeuS infected machines can throw a man-in-the-middle to empty an account, banks can do the same thing to protect their customers. We’ve been very lucky thus far…

    1. Cherry

      The FFIEC should take everything your bank is doing and make that the “standard”.

      Kudos to your organisation.

      1. Helly

        Turns out, you weren’t the only one thinking that:

        “Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have assisted in preventing many fraudulent money transfers as they were clearly out of the ordinary when compared with the customer’s established patterns of behavior.”

        Didn’t see this quoted in the article above in full, apologies if it was 🙂

    2. JBV

      Your bank’s solution works well for small-business accounts, but the manpower cost for monitoring a large business account, e.g., one with a thousand-person payroll, would be exorbitant if the bank relied on employees’ personally reviewing each and every ACH transaction. Banks that handle such large-volume transfers need to install automated monitoring, as the Guidelines recommend.

      1. Yar

        I agree. The labor requirements to perform this type of out-of-band authentication are extreme, and even then it isn’t completely reliable.

        We had a customer whose phone was compromised. The fraudster simply called the phone company and requested that the phone number be forwarded to their cell phone. Whenever the phone rang, they answered it to verify the information.

        The phone company did not require any kind of verification of identity, and the fraudster had all kinds of information about the user and the account. We caught on pretty quick and no money was taken, but the threat was there.

        The FI I work for is looking at a combination of several solutions, including transaction analytics which would review all ACH and wires transactions against the company’s history to watch for irregularities and anomalies. If they were found, we would then use out-of-band communication to find out if the changes are legitimate. This is just the beginning of what we are doing. Our wires customers also have unique codes which are requested verbally to authorize any wire during callback, and this code was mailed to the user. The only time it is used is to verify the user over the phone, so it is more effective than simply asking information which can be found using Google or people searches.

        The important thing for banks to do is to not relent. Banks should constantly work to innovate and improve online security. Banks who do not think this is a potential competitive advantage are missing the big picture.

        I am sorely disappointed in any bank’s resistance to investing in online security for their customers. My reason is simple:

        A bank should be the SAFEST place to put your money.

    3. George

      Kathy,

      congratulations to your bank for reviewing every ACH transaction.
      I wish the bank that handles my HOA dues payments would do the same.
      I accidentally send my AMEX payment check, made out to AMEX, (well over a thousand dollars) to that bank with the HOA payment coupon. They went ahead and ACH deposited the check to the HOA for the well over a thousand amount (the HOA dues is only about $160, clearly so indicated on the payment coupon).
      If they are so clueless (to commit fraud in the process) how would I expect them to detect fraudulent transmissions?

      Also, isn’t that true that they should have obtained, in advance, my permission to use ACH?

      (Sorry if you consider this off topic, I think it is related).

  6. Jim R

    The vast majority of Americans are glad to see some agency, lawyer or news organization “stick it to the banks”. What most don’t understand that the over abundance of regulation intended to curb the greed of the multi-billion dollar mega banks is rapidly killing off the small community banks who have much more concern for their customers and the safety of their accounts. This is why you are seeing a rapid decline in the numbers of small, locally owned community banks. When they’re gone, the banking industry will be dominated by a handful of mega banks, the same ones along with wall street greed that led us into the current disasterous financial mess we’re in now. Another thing not seen much in these discussions is consumer responsibility.

    1. Matt

      Jim, there has been a lot of discussion about consumer responsibility (see comments in other related Krebs articles). This isn’t regulation intended to curb greed (it’s not even regulation actually). The intent is to curb the proliferation of account takeovers and fraudulent activity. If, as a small bank providing online services, you can’t do the things outlined in these guidelines, then perhaps you shouldn’t be in business anyway (or at least online). That may seem harsh, but the online threats are significant and the banks have an obligation to secure their online services accordingly.

    2. Yar

      It is true that the burdens of compliance tend to favor larger banks. It’s simply a matter of an economy of scale. Compliance is made easier by large investments in IT, and community banks tend not to have the IT budgets necessary to effectively streamline their reporting and compliance activities.

      Of course, there are other reasons community banks are in decline. They were more vulnerable to loan losses despite more stringent capitalization requirements. A small bank who loses a 30M loan could be sunk. A large bank would write it off and get on with its life.

  7. Yar

    As a bank employee, I am actually glad they did not endorse a specific technology. The more diversity is out there to prevent fraud, the better off we’ll be. When the banks think they have a “one size fits all” security fix is when we get into trouble. Think of the secure tokens (with the 6 digit number which changes every 60 seconds). These were, at one time, considered THE solution for online fraud. Now, they are often considered almost irrelevant.

    If FFIEC had endorsed a single solution, we would see that solution used across the entire industry, and you would see every cyber criminal in the world immediately work on their way to defeat it.

    At least, this way, banks who choose to invest in protecting their customer and their reputation by carefully choosing effective products can develop a competitive advantage over those who do not. If a bank requires that the FFIEC tells them what to do to protect their customers and they are not willing to do more, I don’t want to bank with them anyway.

  8. AlphaCentauri

    I still think one of the most straightforward ways to discourage this scam is to have the banks and the FBI create a consortium that creates imaginary money mules to reply to the recruitment spams.

    It’s easy to identify money mule spam. There’s no shortage of it, and they have to reveal where they want the mules to send replies. But ordinary spam-fighters can’t bait them the way they do with 419 spam — you need to have the ability to create bank accounts and monitor them.

    If the banking-FBI consortium sent in hundreds of replies to each money mule spam, creating a dummy bank account for each one, it would be very difficult for the scammers to find any real mules among all the replies.

    When the scammers enlist one of the consortium-sponsored identities as a mule, then all the consortium has to do is monitor that account for an ACH deposit. The minute one occurs, they identify the bank and the account where it originated, then notify that bank. The victim’s bank can then start recalling the all the ACH transfers that night, before the destination banks even open in the morning to let the other money mules in. If the originating and destination banks all participate in the consortium, much of it could be set up to occur automatically.

    Would all banks participate? Maybe not. Would business depositors be advised to only bank at an institution that is concerned enough about this problem to participate? I should think so.

  9. Jesse McKenna

    Although the newly released supplement to the 2005 guidelines represents a step in the right direction, it seems to be more playing catch-up than providing recommendations for risk mitigation into the future. As long as financial institutions and regulators are focusing their efforts on preventing the threats posed by yesterday’s attacks, we will always be several steps behind the fraudsters.

    Implementing a layered approach to online fraud detection and mitigation is becoming a widely accepted approach, and for good reason, however the adaptability and predictive nature of the solutions implemented in those layers is also an important aspect that is not often discussed. Just as the solutions adhering to the 2005 guidance rapidly became hoops for fraudsters to jump through, so too will the supplemental guidance become in the coming months and years. As such, implementing systems that monitor and adapt to emerging attacks at various levels can begin to level the playing field.

    Moreover, implementing such systems can reduce the churn required as more static and rigid systems become outdated or no longer preferred. With only six months to implement the new supplemental guidelines, banks of all sizes have their work cut out for them, but more adaptive systems could greatly reduce the workload impact of future guidance changes. To put it simply, the constantly changing nature of online fraud should be embraced and reflected in the detection and mitigation systems implemented by banks when planning for the future.

    As the scale, sophistication, and iteration speed of malware are dramatically increasing, the only way banks, regulators, businesses, and customers can have a shot at security online is to predict, identify, and adapt to emerging threats as rapidly as possible. A layered approach is good, but a predictive and adaptive layered approach is better.

  10. lbn

    Having dealt with examiners from the FFIEC on numerous occassions, I am not surprised at the insufficiency of the guidelines issued from that group. Many of them are prodigies from the Safety & Soundness culture where vulnerabilities and irregularities are discovered in the books and in Policies & Procedures. It is a consortium of paper and pencil agencies that are ill-equipped to address actively evolving and ever more sophisticated cyber underworld aggression against an unprepared banking industry.
    My most recent experience with them was a small battalion of examiners from various agencies converging upon my operation. They spent most of their time arguing semantics, documentation, accuracy of diagrams, and scrutinizing 3rd party vendor contracts. I’m convinced they have no comprehension of the challenges that small banks are facing in the real world. Furthermore–the community banks are relying upon them for guidance of which they have no clue.
    You would not believe how many small banks remain ignorant of the sophistication of their adversaries. And the FFEIC is letting them down by not telling them what they need to do to protect themselves and their clients.

  11. saber

    Examiners are there to read the documentation. All they want to see is our thought processes being delivered to executive management, boards and customers. Their stance, is if you’re actually fighting the real “war” then you’ve declared war in meeting minutes somewhere, you’ve written a battle plan and presented it to those that need to see it. This guidance provides for all that, without bottle-necking us into a single solution. You be the leader! You develop stronger security! You implement the change!

  12. Dave

    After all the complaints from security people over the twice-as-much-one-factor “multi-factor” authentication used by US banks it’s pretty disappointing to see that this update doesn’t change anything. It’s mostly just warm fuzzies, instead of looking at what has and hasn’t worked since the original document and moving to address those. At least PCI-DSS tries to keep up with the state of play, and reacts to issues (eventually).

Comments are closed.