Layered Security Essential Tactic of Latest FFIEC Banking Guidelines

New federal security guidelines spell out how banks should protect customer bank accounts from cyber-criminals intent on stealing funds.

A federal agency responsible for enforcing security rules for banks enhanced its guidelines in response to recent high-profile security breaches at financial institutions and other organizations.

Banks must adopt a layered approach to security in order to combat highly sophisticated cyber-attacks, the Federal Financial Institutions Examination Council said in a supplement released June 28. The new rules update the 2005 "Authentication in an Internet Banking Environment" guidance to reflect new security measures banks need to fend off increasingly sophisticated attacks.

The guidance applies to both large financial institutions and small to midsized banks. The FFIEC guidance defined layered security as using different controls at different points in a transaction process so that the failure of one defense is compensated by another mechanism in place.

"Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high-risk transactions," said the FFIEC.

Options include implementing fraud detection and monitoring systems to flag suspicious activity, requiring multiple employees to sign off and authorize a transaction, out-of-band verification, or requiring customers to create a list of approved payees.

The FFIEC did a "really good job" telling banks that no single method can be relied upon and that layered security measures were a must, Avivah Litan, a vice president and distinguished analyst at Gartner said. The guidance called out the "need to control privileged user access to sensitive applications," and emphasized a risk-based approach in which controls are strengthened as risks increase, said Litan.

The supplement specifically addressed account takeovers or how cyber-criminals are initiating fraudulent wire transfers and ACH transactions to loot bank accounts. Small and midsized businesses at banks and credit unions have lost millions of dollars in recent years using these methods. A recent data breach at Citigroup compromised over 360,000 customer credit card accounts. Attackers looted $2.7 million in the Citi breach.

The supplement sets "clear minimum expectations" for a layered security program, said Terry Austin, CEO of Guardian Analytics. "We've seen how effective behavior-based anomaly detection and transaction monitoring can be and know the industry will benefit from the FFIEC expecting this approach from all institutions," Austin said.

The guidance also pointed out that some of the popular multi-factor authentication techniques, such as challenge questions and device identification, don't actually do much to stop an attacker. Answers to challenge questions can often be found by poking around social-networking sites or searching online, and there are advanced pieces of malware designed to take control of a victim's browser.

The FFIEC recognized that the threat landscape has evolved and that security measures also need to change, said Tim Sutton, PhoneFactor CEO. The FFIEC identified man-in-the-middle attacks and keystroke loggers as ways attackers are circumventing traditional authentication methods, Sutton said.

"In a relatively short period of time, we will no longer be able to bank online by simply entering a user name and password," Sutton said.

However, the FFIEC did not address mobile banking, implications for call centers or future threats in its guidance, nor did it provide any specific directions that financial institutions must follow. The supplement contains guidelines to dictate how security measures are supposed to operate, without mentioning the precise tools required.

The original 2005 guidance "fell short" by suggesting technical measures that quickly became obsolete as cyber-criminals evolved more sophisticated attacks, according to Litan. The FFIEC guidance does a good job of addressing yesterday's threats and suggested techniques for defeating them, but it is not sufficiently forward-looking. The cycle will likely repeat, Litan said, since banks will build their security according to the scenarios outlined by the FFIEC.

"The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance," she said.

"There is no -stick' or -carrot' to adhere to the guidelines," Entrust president and CEO Bill Conner said. The guidance also did not place any accountability for implementation or mandate any specific timeframe, Conner said. The FFIEC said formal assessments of compliance will begin January 2012.

Banks will be required to institute user-awareness programs for both consumers and business customers. Litan criticized the guidance for being very unclear on how banks are supposed to explain to customers what protections are provided and not provided. "The FFIEC should have established minimum requirements on what clear disclosure looks like," Litan said.