New federal security guidelines spell out how banks should protect customer bank accounts from cyber-criminals intent on stealing funds.
A federal agency responsible
for enforcing security rules for banks enhanced its guidelines in response to
recent high-profile security breaches at financial institutions and other
Banks must adopt a layered
approach to security in order to combat highly sophisticated cyber-attacks, the
Federal Financial Institutions Examination Council said in a supplement
released June 28. The new rules update the 2005 "Authentication in an
Internet Banking Environment" guidance to reflect new security measures
banks need to fend off increasingly sophisticated attacks.
The guidance applies to both
large financial institutions and small to midsized banks. The FFIEC guidance
as using different controls at different points in a transaction
process so that the failure of one defense is compensated by another mechanism
"Since virtually every
authentication technique can be compromised, financial institutions should not
rely solely on any single control for authorizing high-risk transactions," said
Options include implementing
fraud detection and monitoring systems to flag suspicious activity, requiring
multiple employees to sign off and authorize a transaction, out-of-band
verification, or requiring customers to create a list of approved payees.
The FFIEC did a "really
good job" telling banks that no single method can be relied upon and that
layered security measures were a must, Avivah
, a vice president and distinguished analyst at Gartner said. The
guidance called out the "need to control privileged user access to
sensitive applications," and emphasized a risk-based approach in which controls
are strengthened as risks increase, said Litan.
The supplement specifically
or how cyber-criminals are initiating fraudulent
and ACH transactions to loot bank accounts. Small and midsized
businesses at banks and credit unions have lost millions of dollars in recent
years using these methods. A recent data breach at Citigroup
compromised over 360,000 customer credit card accounts. Attackers looted $2.7
million in the Citi breach.
The supplement sets
"clear minimum expectations" for a layered security program, said
Terry Austin, CEO of Guardian Analytics. "We've seen how effective
behavior-based anomaly detection and transaction monitoring can be and know the
industry will benefit from the FFIEC expecting this approach from all
institutions," Austin said.
The guidance also pointed
out that some of the popular multi-factor authentication techniques, such as
challenge questions and device identification, don't actually do much to stop
an attacker. Answers to challenge questions can often be found by poking around
social-networking sites or searching online, and there are advanced pieces of
malware designed to take control of a victim's browser.
The FFIEC recognized that
the threat landscape has evolved and that security measures also need to
change, said Tim Sutton, PhoneFactor CEO. The FFIEC identified
man-in-the-middle attacks and keystroke loggers as ways attackers are
circumventing traditional authentication methods, Sutton said.
"In a relatively short
period of time, we will no longer be able to bank online by simply entering a
user name and password," Sutton said.
However, the FFIEC did not
address mobile banking, implications for call centers or future threats in its
guidance, nor did it provide any specific directions that financial
institutions must follow. The supplement contains guidelines to dictate how
security measures are supposed to operate, without mentioning the precise tools
The original 2005 guidance
"fell short" by suggesting technical measures that quickly became
obsolete as cyber-criminals evolved more sophisticated attacks, according to
Litan. The FFIEC guidance does a good job of addressing yesterday's threats and
suggested techniques for defeating them, but it is not sufficiently forward-looking.
The cycle will likely repeat, Litan said, since banks will build their security
according to the scenarios outlined by the FFIEC.
"The attacks will get
more sophisticated, and will use new techniques that are not addressed in the
details of the guidance," she said.
"There is no -stick' or
-carrot' to adhere to the guidelines," Entrust president and CEO Bill
Conner said. The guidance also did not place any accountability for
implementation or mandate any specific timeframe, Conner said. The FFIEC said
formal assessments of compliance will begin January 2012.
Banks will be required to
institute user-awareness programs for both consumers and business customers.
Litan criticized the guidance for being very unclear on how banks are supposed
to explain to customers what protections are provided and not provided.
"The FFIEC should have established minimum requirements on what clear
disclosure looks like," Litan said.