Delfigo Security - Strong Authentication

The FFIEC was expected to provide an update to the 2005 Guidance on Authentication in an Internet Banking Environment in early 2011. Yet here it is almost May and nothing has been forthcoming. Bank Information Security recently reported the release is close, but would not speculate on when it would actually occur, as one FFIEC agency is rumored to be holding up the process.

It would be a dramatic understatement for the FFIEC to simply “reiterate and reinforce” given the dramatic change in online banking risks today as compared to 2005. In the 5 years since the FFIEC last released its guidelines on risk strategies and authentication technologies, a query of the Privacy Data Clearinghouse database shows that 2135 publicly reported data breach incidents have occurred. These breaches compromised 459,217,337 sensitive records (bank account information, credit card numbers or Social Security numbers). The ready availability of more advanced technology that allows those with little or no programming knowledge to launch sophisticated attacks, combined with the recognition that a more aggressive criminal element exists today, would certainly require much more than a reaffirmation.

Banking institutions and industry associations demonstrated their concern about the pending guidelines by scrambling to provide feedback following the public availability of an initial draft, "Interagency Supplement to Authentication in an Internet Banking Environment”, mistakenly posted on the National Credit Union Administration website in December 2010. This has led security analysts to speculate on the possibility that important changes are ahead.
Currently, the leaked draft remains the only available indicator of what to expect. The draft contained the following recommendations:

• More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
• More robust controls as the risk level of transactions increases.
• Layered Security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
• Multi Factor Authentication, well beyond simple device identification and easily answered challenge questions
• Increased Customer Education and Awareness.

Here is the question: Are you prepared?  Many vendors are currently scrambling to re-position their products as multi factor, or attempting to adapt single dimension offerings to address the emphasis on layered security. In a complex and confusing market, careful research will be essential to identifying an authentication solution that will increase identity assurance without adding additional burden to users; while also providing a flexible platform that can adapt and extend to meet the challenges of tomorrow.
______________________________________
Resources:

1. Symantec Report on Attack Kits and Malicious Websites : Executive Summary
2. Verizon 2011 Data Breach Report
3. Privacy Rights List of Data Breaches 2005 to Present
4. Top Nine Security Threats of 2011
5. 2010 "Interagency Supplement to Authentication in an Internet Banking Environment" (summary here and here )
6. 2005 Guidance on Authentication in an Internet Banking Environment