Updated federal guidance on internet banking authentication is getting the attention of industry experts. Not all of it is good.
The Federal Financial Institutions Examination Council (FFIEC) on Tuesday announced the issuing of a supplement to its "Authentication in an Internet Banking Environment" (PDF) guidance, which was originally published in 2005. Outlined in the supplemental document is the recommendation that financial institutions use multi-factor authentication, that they regularly review policies and partake in security risk assessments, and that financial institutions should implement a layered approach to securing high-risk, online-based systems.
While those Bank Systems & Technology spoke to about the guidance agree the FFIEC's call for layered security and multi-factor authentication is the right approach, some believe that, after six years, the council didn't go far enough.
"It’s progress," says Julie Conroy McNelley, Aite Group senior analyst. "I would hope that we don’t wait another six years to see this refreshed again. The threats are evolving quite rapidly."
She adds that, for the six month waiting period between the FFIEC's draft guidance, which was submitted for public feedback in December, is a long wait for what is seemingly little change between the draft and the final document. Between draft and final, the FFIEC beefed up its section on layered security and some more detail on multi-factor authentication.
"The one other piece that I thought was good in this, and this was also present in the December preliminary draft, it highlighted the fact that simple, cookie-based device authentication is very easy to beat," And if you’re going to use device authentication as part of your authentication theme, it needs to be complex."
One area of concern in particular for McNelley is the FFIEC's seeming lack of guidance concerning the fast-growing mobile banking channel. Though online banking and mobile banking are different, mobile banking is fast catching up to online banking in terms of functionality.
"It’s definitely its own thing, but from a threat perspective, the threats are very similar," McNelley says. "And as we have seen historically in fraud, the criminal element doesn’t discriminate between channels. They will go anywhere they can get funds."
A prevailing question that McNelley and others asked is why this guidance took so long.
"Overall I was disappointed that we waited six months for no substantial changes between the draft and the final," says Tom Hinkel, director of compliance for Alpharetta, Ga.-based Safe Systems.
Hinkel adds that many of his initial concerns with the original draft were not addressed in the final FFIEC guidance. Hinkel says that while the updated guidance addresses layered security in terms of detective and corrective systems, the guidance ignores the concept of preventive security measures.
"My big pet peeve about the piece on layered security, is they didn’t understand that layered security controls should exist in all three categories," Hinkel adds.