Banks may soon require new online authentication steps
The Federal Financial Institutions Examination Council is believed to be set to issue new guidelines for transactions
Computerworld - The Federal Financial Institutions Examination Council (FFIEC) could soon release new guidelines for banks to use when authenticating users to online banking transactions.
The new guidelines will clarify the FFIEC's existing guidelines on the subject and more explicitly inform banks about what they need to do to bolster online authentication, said Avivah Litan, an analyst at Gartner.
Litan and others recently met with the FFIEC's IT subcommittee to discuss the updates. "They have been talking about it and debating it for a while," Litan said. "My understanding is that [the subcommittee meeting] was the last step in the process before they issue the new guidance."
The FFIEC is an interagency council that develops standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC).
In 2005, it issued a set of guidelines, titled "Authentication in an Internet Banking Environment." They called on banks to upgrade their single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006.
The guidance left it largely up to the banks to choose whatever second form of authentication that they felt was the most appropriate for their needs. The FFIEC listed several available authentication technologies that banks could choose from, including biometrics, one-time passwords and token-based authentication.
Since the guidelines were issued, many banks have added a second authentication layer for users when conducting certain kinds of online transactions. However, in many cases, the added measures have been largely cosmetic in nature and have done little to bolster authentication in the way the FFIEC had originally intended, Litan said.
"Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication," Litan said. "What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do."
The FFIEC did not immediately respond to Computerworld's requests for clarification on the purported release of the new guidelines.
News of the proposed revisions come amid growing concerns about the ability of cyber criminals to circumvent the existing authentication mechanisms used by banks for online transactions.
Over the past two years there have been a string of attacks, mostly against small and medium businesses, by cyber criminals using stolen banking credentials to plunder corporate accounts.
Such account takeovers have cost U.S. businesses in excess of over $100 million since 2008, according to the FBI.
Organizations such as NACHA-the Electronics Payments Association, have warned financial institutions about such attackers and said that much of it has resulted from the relative lack of strong authentication procedures, transaction controls and "red flag" reporting capabilities.
Such attacks have also highlighted the need for banks to install stronger transaction monitoring controls and fraud alerting systems analysts have said in the past. It's unclear whether the upcoming FFIEC guidelines will call for such controls though.
Gartner too has warned about how authentication measures such as one-time passwords and phone-based user authentication, once considered among the most robust forms of security, are being increasingly circumvented by cyber criminals.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Financial IT in Computerworld's Financial IT Topic Center.
Flashback to the late 1960s, when this pilot fish has just gotten a job in a bank's data processing department -- and one day his new boss tells him to grab a disk pack and run for a cab.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- The Big Data Opportunity for HR and Finance
- If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- InfoTech: Cloud File Sharing
- Organizations are increasingly turning to cloud file sharing solutions to meet end-user's needs for a lightweight and effective collaboration tool. In this report,...
- Rethinking Backup and Recovery
- As enterprises continue to transform their data centers, and virtualization plays an increasing role in their IT infrastructures, the way data is backed...
- The Best Platform for Enterprise Apps
- This white paper highlights how Microstrategy has a completely differentiated approach to building and maintaining mobile apps.
- The Best Platform for Enterprise Apps
- This white paper highlights how Microstrategy has a completely differentiated approach to building and maintaining mobile apps. All Financial IT White Papers
- Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed in recent years, and it continues to escalate.
- PST Archiving: What is it and How is it Done? Learn more about what PST data is, the risks relating to it, and how the new PST Archiving feature in the Simpana 10...
- HP DevOps KnowledgeVault This interactive resource focuses on the evolution taking place in the world of software development, specifically the Agile development framework, and the gap...
- Introducing Cloud-Based Disaster Recovery From VMware Cost-effectively protect your business applications in the case of a local disaster or disruptive event. VMware is excited to introduce vCloud Hybrid Service...
- Vblock™ Specialized System for SAP HANA® Deploy SAP HANA® fast and with low risk. VCE brings together all of the necessary components for SAP HANA® into a single, standardized...
- All Financial IT Webcasts
Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.