News & Resources

FFIEC releases Internet banking authentication reforms

Jul 07, 2011 Brian Bradley

In an amendment to its 2005 guidelines, the Federal Financial Institutions Examination Council recently released a 12-page updated supplement that addresses identity authentication issues that have cropped up during the internet banking process in recent years. The document primarily addresses social media, malware and other security issues, and provides financial institutions with a seven-month window to comply with the changes. "The agencies are concerned that customer-authentication methods and controls implemented in conformance with the guidance several years ago have become less effective,” the 12-page document says, quoted by Digital Transactions. One of the many issues the amendment touches upon is the way some financial institutions use cookies or small data files loaded into a customer's PC or laptop to confirm identity verification during an online session. The supplement notes that cookies can be easily copied and moved to another PC used by an identity thief, allowing the thief to impersonate a legitimate customer. Furthermore, the rise of social media platforms such as Facebook has made personal information available for anyone to see, thus reducing the effectiveness of challenge questions, such as a user's high school, year of graduation or mother's maiden name. "These questions can often be easily answered by an impostor who knows the customer or has used an internet search engine to get information about the customer," according to the supplement. To counter this, the guidelines indicate that banks must integrate more sophisticated "out-of-wallet" questions that can't readily be viewed on social media sites. EWeek adds that the document calls for a more "layered" approach to customer security, and applies to both large institutions and smaller community banks. "Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high-risk transactions," said an FFIEC spokesperson, quoted by the news source. These layered approaches include implementing fraud detection and monitoring systems to catch suspicious activity, requiring multiple employees to sign off and authorize a transaction or requiring customers to create a list of approved payees. Digital Transactions points out that a mobile banking - an increasingly popular form of internet banking - was left out of the report. The lack of guidance about the mobile channel is what Julie Conroy McNelley of Boston-based Aite Group called a "glaring omission." Conroy McNelley tells the news source that she suspects addressing the topic of mobile banking might have been too big of a topic for the FFIEC to handle while it was focused on its internet banking authentication initiative.