FFIEC guidelines fall short of protecting the online consumer
The incidence of ID theft is not new; but in todays world of online commerce and online banking, its implications are increasingly felt by victims who find that an inadvertent click on an enticing email can lead to the loss of their bank savings.
Because of the sharp rise in online identity fraud, the FFIEC (Federal Financial Institutions Examination Council) representing several federal organizations including the FDIC and Federal Reserve, issued a guidance in October 2005 urging financial institutions to tighten the security of online access. In particular, the guidance said that simple authentication methods like username and password may not provide sufficient protection for internet-based financial services.
Having acknowledged the limitation of existing authentication schemes, FFIEC guidance indicated that the regulators expected financial institutions to adopt a multi-pronged approach to improving online security. Furthermore, financial institutions must have achieved compliance no later than December 2006. The approach suggested by the FFIEC guidance effectively required three steps – (1) a self assessment by the financial institutions to evaluate the risk associated with various products and services available to on-line customers, (2) implementation of an effective authentication strategy in relation to the assessed risk, and (3) a customer education and awareness program that would deter online theft of assets and sensitive information.
The FFIEC guidance is a well meaning and significant step by regulators to address the growing concern over ID theft and fraud and its impact on the adoption of the online channel. More importantly, it has raised the authentication bar beyond username and password and is moving the industry in the right direction. But the guidance is not enough to address the underlying problem or solve the issue of ID theft. Financial institutions (notably banks) and vendors have rushed to devise solutions that would help them achieve at least some level of compliance in the timeframes provided by the guidance. But compliance, in this case, does not translate directly into a carefree environment for the consumer.
The FFIEC guidance offers no direct protection for the consumer (and often the main victim of ID theft). Unlike earlier FDIC and FTC regulations (The Electronic Fund Transfer Act and the Fair Credit Billing Act) that capped the consumers' liability in the event of a stolen credit or debit card, the FFIEC guidance does not directly limit the consumer's liability in the event of an ID theft. Consumers who fall prey to a phishing attack do not gain any new additional legal protection against fraudulent transactions on their bank accounts. The guidance only directs the financial institutions to improve their online portals.
At this point, the FFIEC does not measure the effectiveness of any solution the financial institutions deploy in compliance with this guidance. The guidelines do not mandate targets for reducing either the number of attacks themselves or the effectiveness of the solutions in thwarting the attacks. Without a metric to define success, financial institutions have chosen a variety of solutions that are some combination of improved site authentication, risk-based authentication, and strong authentication. The goal of improved site authentication is to provide a way for consumers to know that they are at the official bank site and not a fraudulent site. It has the advantage of raising the awareness of the consumer and making them feel more confident that their bank is trying to protect them.
The downside, though, is that this method does little to prevent phishing. Risk-based authentication or fraud detection is used to increase the probability that the person logging into the account is authentic. The bank evaluates each access to the consumer's online account to determine if it is out of the ordinary for that given user – logging in from a kiosk instead of a home computer, logging in from a foreign location, logging in at an abnormal time or performing an unusual action – if the access is not typical, then the bank performs additional checks like calling the user on a known number to confirm that he or she is actually online. This method helps protect the consumer "behind the scenes" with the advantage that most of the time, the consumer does not have to do anything different from what they always used to do. Of course, it doesn't help educate them on the potential security issues involved in online access. Some banks have implemented stronger authentication – using a software or hardware token in addition to the username and password to log into the online banking portal.
All of these solutions improve the situation. However, these improvements may only be temporary. Without a requirement to continuously measure the effectiveness of these solutions and achieve fraud reduction targets, some of these solutions will soon be countered by more sophisticated attacks.
Once their solution is implemented, some banks are already finding that the nature of the attacks is changing based on the type of authentication method deployed. Hackers are coming up with ways to work around the checks that banks are adopting. As a matter of fact, man-in-the-middle attacks that are harder for the consumer to detect became more prevalent when the first set of simple solutions began being widely deployed. Fraudsters have also improved the quality of their spoofed sites to make them indistinguishable from the real site or cleverly adopted the same warnings and challenges the real sites use to make themselves look more believable.
The FFIEC guidance does not make identifying or targeting the fraudsters any easier than it was before. ID theft is not the monopoly of any single criminal group or region in the world. ID theft attacks are launched as easily by a foreign band of technically savvy cyber-criminals as they are by unhappy and disgruntled exes and friends or relatives who are privy to your personal information and have easy access to your mail box. Simple solutions like posing an additional personal question (example, mother's maiden name) or checking that you are logging in from your usual computer are easily defeated when the fraudster knows you well or has temporary access to your computer or cell phone.
The FFIEC guidance has served well in raising awareness among the financial institutions that they cannot be lax in the design and deployment of their online portals. Although initially targeted at banks, it is widely expected that similar guidance will be extended to cover virtually all financial and related services – including brokerage, insurance, securities, 401(k) and similar accounts. Combined with the enhanced security requirements that the payment industry (Visa, MasterCard, etc.) has imposed on all merchants and processors to secure card and personal information, this is leading to a new higher security standard for all financial transactions and personal data. This higher standard leads to improved authentication of all online access to financial accounts and personal data, better technology for data retention and more secure communication methods – whether emails, monthly statements or notices.
The cat and mouse game between the fraudsters and security solution providers is hardly over. The new set of security standards will lead to a period of lowered fraud before the fraudsters devise yet another scheme to attack other vulnerabilities. While a large number of users will learn and adopt best practices for going online, some users will be overwhelmed by the reports about identity theft and simply not go online – not use online banking, not shop online and not receive or submit any personal data online.
The FFIEC, FDIC and similar agencies can help convert these users through regulations that limit user's liability and offer them a definite path to help regain their lost identities. Unlike a stolen credit card that can be cancelled, the Social Security number, mother's maiden name or birth date that is lost cannot be cancelled or changed. And every individual should make sure to protect this information as best as they can.
Yes, brother, thou art only as safe as you work on protecting yourself.
- R. ‘Doc' Vaidhyanathan, vice president of product management, Arcot Systems