Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online.
At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.
The FFIEC didn’t specify exactly how the banks had to do this, and indeed it left it up to financial institutions to work out the most appropriate approach. However, many banks appear to have gravitated toward approaches that are relatively inexpensive, easy to defeat, and that may not strictly adhere to the guidance, such as forcing customers to periodically provide the answer to “challenge questions” as a prerequisite to logging in to their accounts online.
Unfortunately, as I have documented time and again, organized computer criminals are defeating these solutions with ease. Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software. What’s more, few banks have put in place technology on their back-end systems to monitor customer transactions for anomalies that may indicate fraudulent activity, much in the way that the credit card industry sifts through data in real time and alerts the customer if a transaction or set of transactions radically deviate from that customer’s usual purchasing habits.
Last month, krebsonsecurity.com, interviewed Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corporation (FDIC). Drozdowski told me that the banking regulators recently convened a series of meetings with banks and security technology providers to figure out whether additional guidance would help banks do a better job of protecting their commercial customers. I asked him about the current state of these regulations and what we might expect from banking regulators in the months ahead on this issue. What follows is a portion of that discussion.