The usual suspects were at work last week in the security arena: Microsoft issued massive patches; Snort has a problem that can be triggered by a single UDP packet; and the like.
But the Big Story was about banking, and it didnt seem to be picked up by many people. It boils down to this: username and password arent going to be good enough for online banking. The online banks are going to need at least two factor (if not more) authentication to satisfy the government watchdogs.
What started things off was the Federal Financial Institutions Examination Council (which is made up of five member agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision) updating its document Authentication in an Electronic Banking Environment (which was issued in 2001) to Authentication in an Internet Banking Environment. The previous document did not endorse any particular authentication method.
The new "guidance"—which is bank-speak for "This is what upcoming regulations will look like"—is needed, says the FFIEC, to "specifically addresses the need for risk-based assessment, customer awareness, and financial institutions implementation of appropriate risk mitigation strategies including security measures to reliably authenticate customers accessing their financial institutions Internet-based services."