The much anticipated FFIEC Authentication Guidance was released on June 28, 2011 as a supplement to the very dated 2005 Guidance on Authentication in an Internet Banking Environment. The complete text of the Supplement to Authentication in an Internet Banking Environment is available on the FFIEC website.
There is not much difference from the draft mistakenly released on the National Credit Union Administration website
in 2010. The guidance is weak in a number of areas, specifically the need for multi factor authentication in consumer banking, not just commercial banking; and the failure to address security of mobile banking.
The supplement does emphasize the need for ongoing updates of risk assessments and the need for a layered approach to security. Both recommendations commonly found among best practices for identity and authentication management.
A number of vendors will scramble to re-position their products as multi factor, or attempt to adapt single dimension OTP or challenge response offerings to address the emphasis on risk assessment and layered security. However, there are many current offerings available to address regulatory requirements of 2012. Careful research is essential to identifying an authentication solution that not only fits yours needs, but does so without adding additional burden to users, and also provides a flexible platform that can adapt and extend to meet the challenges of tomorrow.
- Supplement to Authentication in an Internet Banking Environment
BankInfo Security – New Authentication Directives Don't Address Emerging Risks
The HITECH Act contains incentives (and disincentives) designed to accelerate adoption of electronic health record (EHR) systems and deliver on the original goals of the Health Insurance Portability and Accountability Act (HIPAA). These goals are rightly identified as “critical to patient safety, quality of care and reduction of delivery costs.” These are all admirable goals. However, regardless of how admirable, there is little among the many recommendations that address the significant consequences that accompany the rollout of EHR systems. Electronic medical records contain a vast wealth of personal information, and this information will only become more vulnerable, and more susceptible to potential misuse, as access extends to an ever wider network of consumers and health care providers. As has historically been the case with all information systems, the desire to provide more open access and greater usability is always at odds with genuine concerns for security and privacy.
The Privacy and Security Tiger Team of the Office of the National Coordinator for Health IT recently released recommendations aimed at addressing this big elephant in the room. They point out that the HIPAA Security Rule requires covered entities to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. However, the Security Rule does not specify authentication options, assurance levels or verification requirements. The Tiger Team’s goal was to establish stronger authentication policy as part of governance for the Nationwide Health Information Network (NwHIN). Their recommendations for authentication of a certified EHR include:
- Baseline user authentication policies should require more than just user name and password for remote access. At least two factors should be required.
- Organizations and entities are encouraged to adopt a risk based approach and provide multi factor authentication for sensitive, high risk transactions
- Minimum two factor authentication of e-prescriptions of controlled substances are required, consistent with the current DEA rule.
- Meaningful Use Stage 2 certification testing criteria for EHRs should include testing of compliance with the DEA authentication rule
It is refreshing to see direct commentary regarding stringent authentication standards. However, the open access-security conflict is clearly apparent throughout the document. This is evident in statements such as “providers must manage the risk of inappropriate access; however they should not set the identification requirements in a way that discourages or inhibits patients from participating.” Open access to patients is no longer the future, it is happening now. EHR systems need to balance the requirement for access with the equally important need for security. An approach focused on layered access to information, using a risk based authentication modality that answers three simple questions – are you who you say you are, where will I allow you to go, and what will I allow you to do - is the best means of achieving this goal.
- ONC Privacy and Security Tiger Team
- Summary: HIPAA Security Rule
The FFIEC was expected to provide an update to the 2005 Guidance on Authentication in an Internet Banking Environment in early 2011. Yet here it is almost May and nothing has been forthcoming. Bank Information Security recently reported the release is close
, but would not speculate on when it would actually occur, as one FFIEC agency is rumored to be holding up the process.
It would be a dramatic understatement for the FFIEC to simply “reiterate and reinforce” given the dramatic change in online banking risks today as compared to 2005. In the 5 years since the FFIEC last released its guidelines on risk strategies and authentication technologies, a query of the Privacy Data Clearinghouse database shows that 2135 publicly reported data breach incidents have occurred. These breaches compromised 459,217,337 sensitive records (bank account information, credit card numbers or Social Security numbers). The ready availability of more advanced technology that allows those with little or no programming knowledge to launch sophisticated attacks
, combined with the recognition that a more aggressive criminal element exists today, would certainly require much more than a reaffirmation.
Banking institutions and industry associations demonstrated their concern about the pending guidelines by scrambling to provide feedback following the public availability of an initial draft, "Interagency Supplement to Authentication in an Internet Banking Environment”, mistakenly posted on the National Credit Union Administration
website in December 2010. This has led security analysts to speculate on the possibility that important changes are ahead.
Currently, the leaked draft remains the only available indicator of what to expect. The draft contained the following recommendations:
- More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
- More robust controls as the risk level of transactions increases.
- Layered Security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
- Multi Factor Authentication, well beyond simple device identification and easily answered challenge questions
- Increased Customer Education and Awareness.
Here is the question: Are you prepared? Many vendors are currently scrambling to re-position their products as multi factor, or attempting to adapt single dimension offerings to address the emphasis on layered security. In a complex and confusing market, careful research will be essential to identifying an authentication solution that will increase identity assurance without adding additional burden to users; while also providing a flexible platform that can adapt and extend to meet the challenges of tomorrow.
- Symantec Report on Attack Kits and Malicious Websites : Executive Summary
- Verizon 2011 Data Breach Report
- Privacy Rights List of Data Breaches 2005 to Present
- Top Nine Security Threats of 2011
- 2010 "Interagency Supplement to Authentication in an Internet Banking Environment" (summary here and here )
- 2005 Guidance on Authentication in an Internet Banking Environment
Bank Info Security reports that the Federal Financial Institutions Examination Council (FFIEC) is expected to provide new guidance on online banking and strong authentication:
The Federal Financial Institutions Examination Council is expected to issue new security guidance revisiting online banking and strong authentication, according to industry experts who have been involved in recent meetings with the FFIEC.
Gartner Analyst Avivah Litan is quoted, "I got the feeling that the guidance this time will be much more specific, suggesting banks might even be held more accountable in future cases of account takeover. Holding banks financially responsible for accounts would bring about significant change. Some solutions currently in place are more "check the box" solutions, designed primarily to address compliance, but not necessarily to improve security.
"FFIEC (Federal Financial Institutions Examination Council)compliance is conformance to a set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC). The standards require multifactor authentication (MFA) because single-factor authentication (SFA) has proven inadequate against the tactics of increasingly sophisticated hackers, particularly on the Internet. In MFA, more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, SFA involves only a user ID and password."
Payment Card Industry (PCI) Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
Is PCI a law? No. It is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). Enforcement of compliance is done by organizations processing transactions (i.e. Visa, Mastercard, American Express etc.).
PCI DSS Requirements (Wikipedia)
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
The Federal Trade Commission
has again delayed the enforcement of the "Red Flags" Rule to give business more time to prepare programs to comply with the law. The FTC is making available new materials to help business better understand the rule's requirements
, and templates designed to assist in creating identity theft prevention programs
that are appropriate to the size of a particular business.
What are the "Red Flag" Rules?
The rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
They require "each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft."
What are basic elements of an Identity Theft Prevention Program?
According to the FTC's Red Flags Rule How To Guide for Business, there are four basic elements of and Identity Theft Prevention Program?
First, your Program must include reasonable policies and procedures to identify the "red flags" of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a "red flag" for your business.
Second, your Program must be designed to detect the red flags you've identified. For example, if you've identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
Third, your Program must spell out appropriate actions you'll take when you detect red flags.
Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.
Relentless technology advancement, the push for Electronic Medical Records (EMR) and integrating diagnostic device data, treatments, and patient history and response are priorities for healthcare facilities today. The challenge is not limited to systems and technologies within a facility, but across facilities because physicians and specialists often practice or share patients across facilities depending on the treatment course. With medical transcription increasingly getting outsourced, much information is managed and compiled externally but access is required when the patient visits.
While the intent of this advancement in technology is to provide ready access to information at the time of service delivery, healthcare practitioners (physicians, nurses, dieticians, specialists) must access multiple systems to get the information they need. Doctors find their productivity reduced by the time it takes them to log in and out. HIPAA compliance mandates patient information be available on a "need" basis to protect the privacy of the patients. Yet, it is not uncommon to find user IDs and passwords posted on or near the computer. With patient care -- not data security -- the primary objective, it is not uncommon for practitioners to stay logged on to a system for extended periods, even when they step away and give others access. The challenge, therefore, is to leverage technology to increase the quality of healthcare while improving the productivity of the practitioners, without compromising the privacy of the patient.
Remembering more passwords or using single-sign-on (SSO) technology may not be the answer for healthcare. Second factor authentication increases security without impacting productivity. Second factor authentication using external devices such as tokens, or proximity cards requires significant upfront investment for acquisition, integration, and training. Moreover, external devices tend to get lost or "borrowed", compromising the security of systems and the patient.
Consider, instead, using the behavioral characteristics of practitioners as a second factor. Individuals are products of many variables in unique combination that define specific cognitive capabilities. Given how a person responds to the environment - from typing on a keyboard, to thinking, and behavior given certain external stimuli, it is possible to capture behavioral characteristics, match them with environmental and system variables to assemble a unique digital imprint of a user.
This goes beyond identifying an individual based on what a person knows (User ID and Password) and what a person has (cell phone, token ID). Systems can identify an individual based on "who they are" and "what they do".
Albert Einstein said, "The significant problems that we face cannot be solved at the same level of thinking we were at when we created them". Leveraging the capabilities available requires a paradigm shift in thinking. Security does not have to be physically bolted on to an individual. It can be the individual, using keystroke dynamics, reflective thinking, environmental, and system variables. The system must provide identity verification for the user in real time. The solution must monitor multiple factors and assess risk based on business policies and guidelines to provide a true multi-factor risk-based authentication solution that protects the system from fraudulent attack and increases the user productivity.
Delfigo Security offers a zero footprint security solution platform that helps companies provide strong authentication to protect against identity and data theft.
Bharat Nair is Vice President of Business Development at Delfigo Security, http://www.delfigosecurity.com/, Boston, MA. He can be reached at
or by phone at 1.617.248.6501