Online and Digital Identification, Securing Web 2.0, PKI and Digital Certificates

FFIEC releases banking authentication guidance

Wednesday, June 29, 2011

The Federal Financial Institutions Examination Council released new guidance for financial institutions on online customer authentication to accounts. The council first releases guidance in 2005 recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats.

The latest report reinforces those expectations. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states. “It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program.”

It was 2005 that saw financial institution begin to use different authentication mechanism, such as pictures to reinforce that a customer was on a correct Web site or requiring a secure cookie be present on a computer before enabling a login.

The new guidance recognizes the emergence of malware and new, more sophisticated man in the middle and man in the browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices.

Lacking from the report is any guidance on how financial institutions should do authentication on mobile devices.

The guidance can be downloaded here[end] 

Related Articles
TeleSign and Intel partner for authentication products

Internet fraud prevention and authentication provider TeleSign has teamed up with Intel Corp. for a secure two-factor authentication product targeted to consumers and enterprises.

The collaboration pairs Intel Identity Protection Technology (Intel IPT) with TeleSign Two-Factor Authentication so that it can be offered beyond Intel Ultrabook devices and the third generation of Intel Core vPro-powered laptops.

read more »
ActivIdentity cloud security product targets banks

ActivIdentity has added a fraud detection service and authentication capabilities to its 4TRESS Authentication Appliance. Targeted to the banking industry, 4TRESS offers multi-layered strong authentication for both network and cloud services.

read more »
CSC, Daon partner for banking multifactor authentication product

CSC has partnered with identity authentication technology and services provider Daon to produce a biometric multifactor authentication service for the banking industry. The product, called ConfidentID Mobile, provides in and out-of-band identity authentication for transactions in multiple channels, including online and mobile.

read more »
BNC Bank taps IronKey to protect commercial customers

BNC National Bank, a national bank serving customers in North Dakota, Arizona and Minnesota, is offering sit commercial customers IronKey Trusted Access to improve online security and help protect customers from cyber thieves targeting online banking users of ACH and wire transfer services.

read more »

Comments
Be first to comment...
Comment on this article

Your full name and URL will be displayed with your comment.

Your email is not shown or shared, and is used only for your Gravatar image.




characters left.
Copyright © 2012, AVISIAN, Inc. All rights reserved.