Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.
The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.
The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments, to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.