It would be a dramatic understatement for the FFIEC to simply “reiterate and reinforce” given the dramatic change in online banking risks today as compared to 2005. In the 5 years since the FFIEC last released its guidelines on risk strategies and authentication technologies, a query of the Privacy Data Clearinghouse database shows that 2135 publicly reported data breach incidents have occurred. These breaches compromised 459,217,337 sensitive records (bank account information, credit card numbers or Social Security numbers). The ready availability of more advanced technology that allows those with little or no programming knowledge to launch sophisticated attacks, combined with the recognition that a more aggressive criminal element exists today, would certainly require much more than a reaffirmation.
Banking institutions and industry associations demonstrated their concern about the pending guidelines by scrambling to provide feedback following the public availability of an initial draft, "Interagency Supplement to Authentication in an Internet Banking Environment”, mistakenly posted on the National Credit Union Administration website in December 2010. This has led security analysts to speculate on the possibility that important changes are ahead.
Currently, the leaked draft remains the only available indicator of what to expect. The draft contained the following recommendations:
- More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
- More robust controls as the risk level of transactions increases.
- Layered Security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
- Multi Factor Authentication, well beyond simple device identification and easily answered challenge questions
- Increased Customer Education and Awareness.
- Symantec Report on Attack Kits and Malicious Websites : Executive Summary
- Verizon 2011 Data Breach Report
- Privacy Rights List of Data Breaches 2005 to Present
- Top Nine Security Threats of 2011
- 2010 "Interagency Supplement to Authentication in an Internet Banking Environment" (summary here and here )
- 2005 Guidance on Authentication in an Internet Banking Environment