As alluded to in last week’s blog entry, banking security needs vast improvement. As a sign that the government is beginning to understand this, the FFIEC announced in a press release today, a supplement to the “Authentication in an Internet Banking Environment.” The new supplement attempts to establish minimum control expectations for online banking activities and provides some insight by discussing what controls are effective to help address today’s online threats and which ones are not.
The key theme for the entire guidance? Layered security. Basically, layered security uses different types of controls at different points in a transaction process. It’s analogous to having locks on the doors of your house to provided general protection against break-in, but then having a safe inside your house to protect the really valuable assets.
One of the key highlights, the new supplement jumps right into the meat by identifying the types of controls that should be considered in building an effective layered security program in a very concise and simply worded verbiage:
- fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
- the use of dual customer authorization through different access devices;
- the use of out-of-band verification for transactions;
- the use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account;
- enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
- internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
- policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
- enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
- enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
The good news for banks, credit unions and all ranges of financial institutions is that there are commercial off-the-shelf software solutions available TODAY. Solutions such as Entrust IdentityGuard (strong authentication) and Entrust TransactionGuard (fraud detection) are proven in some of the largest FIs across the globe to detect and defend against the most advanced forms of fraud threats.