Network Security, Vulnerability Management

FFIEC guidance addresses corporate account takeover

The long-awaited update to the Federal Financial Institutions Examination Council (FFIEC) guidelines around authentication has been released.

As expected, the supplement specifically speaks to the widespread scourge of corporate bank account takeovers. Over the last several years, U.S. organizations, mostly of the small and midsize variety, have lost hundreds of millions of dollars because their accounts were hijacked by adversaries to steal funds by initiating fraudulent ACH transactions or wire transfers.

The guidance directs financial institutions conducting "high-risk transactions" to implement a layered security approach to mitigate the threat.

"Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control," the supplement says.

Options include implementing fraud detection and monitoring systems to flag suspicious transactions; dual customer authorization, meaning two employees have to sign off on a transaction before it can be completed; out-of-band verification, in which the bank directly asks the customer if they OK the transaction, and "positive pay," a process by which customers send banks an approved list of payees.

"Airport security very rapidly evolved after 9/11," said Tim Sutton, CEO of PhoneFactor, which makes technology that verifies transactions through automated phone calls. "We expect the same transformation to occur with online banking. In a relatively short period of time, we will no longer be able to bank online by simply entering a username and password."

Avivah Litan, vice president and distinguished analyst, said she believes the amended guidelines will go a long way to educating banks that no single method can be relied upon.

"If everyone implemented it today, I really do think it would prevent most of the fraud in the online channel," she told on Wednesday. "If you really use the layered security approach and stay progressive, you can keep most of the hackers out. Most don't have the capabilities to get through all of those layers."

In addition, the guidance pokes holes in some of the commonly relied-upon multifactor authentication techniques, such as challenge questions and device identification, which can do little to stop an attacker who performs some simple internet searching or uses advanced malware to take control of a victim's browser.

Meanwhile, the guidance also instructs banks to institute user awareness programs for both consumers and business customers. In almost all cases of corporate bank account takeover, the attackers do not infiltrate the bank's network, but instead target the individual business.

MORE: Read how the attacks happen

What is Congress doing?

When the FFIEC, in 2005, released the original report, "Authentication in an Internet Banking Environment," phishing was the bane of the internet. To curb this threat, the guidelines mandated that banks adopt multifactor authentication.

Nowadays, while phishing remains a problem, commercial account takeover has become the No. 1 fraud concern of banks, Litan said.

Doug Johnson, vice president of risk management policy at the American Bankers Association, which represents institutions that hold about 95 percent of the nation's banking assets, said many of its largest members already should have the recommended controls in place.

The smaller, community banks are the ones that will have to implement the most change, as will the third-party providers that many banks rely on to host their online portals, Johnson said.

But he said he hasn't heard much complaining, and members were pleased to see the guidance move away from a focus on two-factor authentication -- as was contained in the draft -- to a concentration in the final version on more cost-friendly, and possibly more effective, controls.

"I haven't heard a substantial amount of consternation about the January (1st) 2012 deadline," Johnson told "We tend to love the bells and whistles, when sometimes the standard blocking and tackling can actually save the day."

Julie McNelley, senior fraud and risk analyst at the Aite Group in Boston, said it is helpful when the guidance does not recommend specific solutions or a one-size-fits-all approach.

"If you say you have to deploy X, Y and Z technologies, you're giving the attackers a road map of defenses to breach," she told

Still, experts interviewed said the guidance failed to address other areas within the banking environment that could see upticks in fraud, including call centers and mobile devices.

"Hopefully we don't have to wait six years for these to get updated again," McNelley said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.