Breaking down the updated FFIEC guidance
The Federal Financial Institutions Examination Council (FFIEC) recently issued an update to its 2005 guidance titled, "Authentication in an Internet Banking Environment."
The FFIEC guidance defines a recommended framework for evaluating risk and the application of authentication systems and practices. The much-anticipated update introduces the concept of layered authentication and provides an updated view of technologies in light of today's threat landscape.
The threat landscape has changed dramatically over the last several years, and as a result, the customer authentication methods implemented following the 2005 guidance may no longer be effective. In addition, some institutions have failed to update their control mechanisms to keep pace with evolving best practices.
The updated guidance distinguished between the risks posed to retail/consumer banking as being lower than the risk currently posed to business/commercial banking. However, layered security is required for both.
Layered security is expected to address the following two elements, at a minimum:
- Controls should detect and respond to suspicious activity both during initial login and when electronic funds transfers are initiated.
- Enhanced security for administrative privileges to user setup, application configurations and limitations should include security controls.
The guidance also recommends layering multiple security controls. Each additional measure materially increases the level of difficulty for an attacker. A list of effective controls is provided, which includes out-of-band transaction verification, along with fraud detection systems and transaction limits.
This list is not meant to be comprehensive, but certainly reflects those methods which provide the greatest level of security and against which other controls will be measured.
What's perhaps most important about this list is which technologies are missing: one-time passwords, challenge questions, and device identification, which have all proven vulnerable to attack.
More specific recommendations related to customer awareness and educational programs include an explanation of the level of protection provided by Regulation E; when and by what means an institution might request a customer's electronic banking credentials; recommendations regarding the customer's own risk assessment; and additional controls.
An overview of threats and compensating controls are presented in the appendix to the guidance.
Keyloggers and man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks were highlighted as threats, with the latter being used to circumvent some strong authentication methods, such as one-time password (OTP) tokens.
The update also points out that out-of-band has taken on a new level of importance given the preponderance of malware on customer PCs, which can defeat OTP tokens, device identification, challenge questions, and many other forms of strong authentication. In particular, closed-loop methods that complete the authentication in the out-of-band channel are seen as offering a greater level of security.
The document includes a look forward to emerging security controls, such as biometrics and process innovations, which includes volume and value limitation parameters, monitoring exception events, proactive notice of intent to originate, and dual controls for higher-risk functions.
Financial institutions whose primary focus to date has been on session authentication will need to expand the scope of their security measures to also include funds transfers and administrative functions. A high level of importance has been placed on identifying suspicious transactions. To minimize the impact on customers, this must be coupled with an easy and effective means for them to approve legitimate transactions.
For many, this will involve migrating away from OTP tokens, which have proven to be vulnerable to attack, and even some forms of seemingly out-of-band authentication that deliver an OTP via an out-of-band channel.
Instead, financial institutions will need to look to methods that can be used to verify logins, transactions, and administrative functions, and offer protection from keyloggers and MITM/MITB attacks.