Home » The Art of Data Protection » At Last: New Guidelines for Online Banking Authenticaiton

You can call it symbolic, but the first bars of Etta James’ “At Last” started to play on the radio when I ran into the FFIEC announcement on their long awaited update to the Internet Banking Authentication Guidelines. At last — a fresh look at info-security guidelines, regulations, and best practices in the wake of all of the recent attacks and breaches.

In its “Supplement to Authentication in an Internet Banking Environment” the FFIEC addressed two important issues. First the idea that not all customers were created equal and that different customers are banking differently, have different risk profiles, and thus need different risk mitigation tools.

The second interesting idea is the understanding that a good security strategy should be based on multi-layered approach. So if hackers manage to find vulnerabilities in one of the authentication methods there are, in most cases, other methods that will continue to authenticate or protect customers.

On the less positive side, the FFIEC guidelines do not provide any good risk mitigation options to Man-in- the-Browser (MitB) attacks. MitB is best fought with Out-of-Band transaction security solutions, but FFIEC revised regulations do not mention this at all.

Moreover it seems that the updated regulation does not offer real detailed guidelines, but rather talks about concepts in general. I guess that bankers and their CISOs that are looking for definitive direction on how to comply with the regulation, are not going to get a good answer.

It also seems that the new FFIEC document targets the market and threat landscape of 2 – 3 years ago and has not caught up to the environment in 2011.

I would recommend the FFIEC focus on building guidelines that focus on how company’s respond to evolving threats instead of trying to solve yesterday’s problems. And company’s should focus on looking for security and authentication solutions that can not only ensure compliance with guidelines like these, but also evolve and react to today’s complex and evolving threat environment. Learn more.

This entry was posted in Authentication, Compliance and tagged banking, financial services, multi-factor authentication by Motty Alon. Bookmark the permalink.