Financial institutions urged to look beyond FFIEC rules

Computerworld - Financial institutions that truly want to bolster their online security need to look beyond the requirements of new strong authentication guidelines set to take effect Dec. 31, IT users and industry analysts said.

The guidelines are from the Federal Financial Institutions Examination Council (FFIEC) and call on banks and credit unions to implement strong authentication measures to protect online users against ID theft and other types of fraud. They also urge financial institutions to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- with a stronger, second form of authentication. The guidelines are not required by law, but the FFIEC has said it will start auditing banks for compliance next year.

The guidelines have been successful in getting the financial industry to turn its attention to the issue of online security, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. About two-thirds of the financial institutions in the U.S. are likely to have stronger authentication processes in place by the time the deadline passes, she said.

But because the focus is largely on front-end access controls -- and less on what happens at the transaction level -- the FFIEC guidance by itself is inadequate against emerging security threats, said Don Phan, an analyst at Javelin Strategy and Research in Pleasanton, Calif.

"We don't consider FFIEC guidance alone to be strong enough to make the consumer safer" against online security threats," he said. "Financial institutions must set their goals higher than FFIEC compliance."

Phan recommends using risk assessment and alerting measures both at the log-in stage and for real-time monitoring of an account holder's activities in-session. Such measures are needed to fight fraud that can result if hackers manage to compromise strong authentication processes during log-in, he said. Already, for instance, fraudsters have found a way to break the one-time passwords that some banks have begun using as a second form of user authentication, Phan said.

Similarly strong authentication measures, such as two-factor authentication, don't offer protection against so-called man-in-the-middle attacks where hackers are able to intercept and modify the traffic between two parties.

Strong authentication "certainly isn't a silver bullet," said Melissa Auchter, CIO at the Parda Federal Credit Union, an 18,000-member financial institution in Rochester, Mich. "It just protects one doorway. It's one more measure in a whole comprehensive approach to protecting" data assets, she said.

Parda has just finished rolling out a multifactor authentication product from Issaquah, Wash.-based BioPassword Inc. that combines users' standard log-in credentials with information about their keyboard typing rhythm to authenticate users to their accounts. The tool meets FFIEC's strong authentication requirement, but it is only part of a layered defense that includes transaction-level fraud monitoring, Auchter said.