A supplement to the Authentication in an Internet Banking Environment, also known as “2005 Guidance”, has been released. The 2005 Guidance was created by FFIEC agencies to provide a risk-management framework for financial institutions offering internet-based products and services. The purpose of the Supplement is to reinforce the framework and update the Agencies’ expectations for customer authentication, layered security, or other controls. It also establishes or reinforces supervisory expectations for financial institutions, including:
- Performing periodic risk assessments
- Adjusting customer authentication controls in response to new threats to online accounts
The Agencies recommend that institutions implement layered security as well as multifactor authentication for business customers and for high-risk Internet-based systems. Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is compensated for by the strength of a different control. Effective controls that may be included in a layered security program include, but are not limited to:
- Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
- The use of dual customer authorization through different access devices;
- The use of out-of-band verification for transactions;
- The use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account;
- Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
- Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
- Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
- Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels;
- Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
The financial institution’s layered security program is expected to contain, at a minimum, the following elements:
- Controls designed to detect and respond to suspicious activity
- Enhanced controls for administrators able to set up or change system configurations. These controls should exceed the controls applicable to routine business customer users.
The 2005 Guidance urged institutions to implement simple device identification methods to confirm that the customer’s computer matches their login and password. However, fraudsters have found ways to pretend to be the legitimate user. Agencies now suggest institutions should use a complex device identification system, which creates a more complex digital “fingerprint” to verify a user.
The Supplement also addresses the use of challenge questions and suggests that institutions no longer consider basic challenge questions to be an effective risk mitigation technique. This is due to the amount of personal information readily available on the internet and social networking sites.
A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:
- An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
- An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
- A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
- A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.
The Supplement to the 2005 Guidance also addresses the increasingly sophisticated and malicious techniques fraudsters are using to authenticate controls, gain access to customer accounts and transfer funds beyond the reach of financial institutions and law enforcement. One of the schemes mentioned is keylogging malware, a software program that records the keystrokes entered and transmits a record to the person controlling the malware. This software can be installed by simply visiting an infected website or clicking an infected banner advertisement or email attachment. The Agencies suggest institutions investigate the variety of security controls available to determine which would be the most effective in detecting and preventing attacks as part of their layered security program. These controls include:
- Anti-malware software, used to prevent, detect, block and remove adware, spyware, and other forms of malware, such as keyloggers.
- Transaction monitoring/anomaly detection software, which monitors online banking activity for suspicious fund transfers.
- Out-of-band authentication, which is a transaction initiated via one delivery channel (e.g., Internet) and must be verified through an independent delivery channel (e.g. telephone). For business customers, this option can be combined with other administrative controls and can include someone other than the person who initiated the first transaction.
- USB devices that increase session security when plugged into the customer’s computer.
The Supplement to the 2005 Guidance suggests institutions should look to traditional and innovative business process controls to improve security. Some examples include:
- Requiring and periodically reviewing volume and value limitations or parameters for what activities a business customer in the aggregate, and its enrolled users individually, can functionally accomplish while accessing the online system;
- Establishing individual transaction and aggregate account exposure limits based on expected account activity;
- Establishing payee whitelisting (e.g., positive pay) and/or blacklisting;
- Requiring every ACH file originating entity to provide a proactive notice of intent to originate a file prior to its submission; and
- Requiring business customers to deploy dual control routines over higher risk functions performed online.