Financial institutions urged to look beyond FFIEC rules
The University of Wisconsin Credit Union in Madison has for the past year used technology from Corillian Corp. to authenticate users during log-in and, to a limited extent, at the transaction stage. Corillian's technology lets the credit union profile users' systems and their online behavior and then challenges them to provide extra proof of identity if there is a change from the norm. Looking ahead, the credit union plans to complement those measures with a stronger out-of-band process, where automated phone calls will be made to account holders to authenticate their identity if there's reason to doubt it, said Eric Bangerter, the credit union's director of Internet services.
The move is necessary because phishers have begun to figure out how to compromise most challenge/response forms of strong authentication, he said. "Eventually, I would like to eliminate the challenge questions completely because they don't add much to security" beyond what is offered by passwords, Bangerter said.
FFIEC's guidance is mostly aimed at dealing with current threats such as phishing, said Chad Graves, vice president of IT at the Ent Federal Credit Union in Colorado Springs. Since Oct. 1, the credit union has required its 18,000 members to use a multifactor authentication process based on technology from Hillsboro, Ore.-based Corillian.
Based on a risk assessment, there appears to be no immediate need to extend that sort of authentication to the transaction level, Graves said. "Right now, our highest risk at the transaction level is an outbound bill pay," he said. But in the future, if the credit union decides to implement electronic clearinghouse or wire transfer transactions, it will consider transaction controls.
Financial institutions will also need to pay close attention to securing their phone-based transactions said Gwenn Bezard, research director at the Aite Group, a Boston-based consultancy focused on technology issues in the financial industry. "The way banks authenticate customers through the phone is weak," Bezard said. "Fraudsters will soon start finding it more difficult to compromise online channels, so they will migrate to the phone channel where the defenses are weaker and the opportunities for social engineering are greater," he said.
Such threats have not become a big issue yet in the financial industry, so there may be a tendency to see FFIEC's guidelines as adequate, Bezard said. "But is it going to be adequate in 12 months, or 18 months? Fraudsters adapt pretty quickly, so they will find new ways to attack. So sooner rather than later, these measures are going to become obsolete."
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!