Financial Institutions Confused About FFIEC Regulations

Share Article

Financial institutions are scrambling to meet FFIEC regulatory requirements by the end of 2006. Compliance managers at many banks, however, appear confused as to what those requirements actually are.

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance letter for banks and financial institutions, which clarified its expectations for combating the growing problems of phishing, online fraud, and identity theft. In their letter, the FFIEC echoed earlier calls by the FDIC for financial institutions to implement stronger, multi-factor authentication by the end of 2006. This recommendation has garnered tremendous attention in the press and many banking compliance managers have focused almost exclusively on this requirement, seemingly unaware that they may be missing a larger, more important FFIEC requirement.

In their guidance letter, the FFIEC urged, "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."

Simple enough, right?

Not when you take into consideration the preceding sentence. The FFIEC prefaced the above recommendation with a call to financial institutions to assess such authentication techniques in light of their ability to mitigate phishing, stating "financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques."

So, what authentication techniques are "adequate" in light of phishing?

"It can be a confusing question," says T. Eric Willis, President & CEO of Sestus Data Corporation, a hardware-free two-factor authentication solution provider. "We have been flooded with questions from banks who are confused about that FFIEC requirement. Some managers weren't aware there was such a requirement in the FFIEC letter." Says Willis, "Its not just about stronger authentication. It is clear the FFIEC also wants authentication methods to be adequate in light of phishing."

When asked why banks seem to be disregarding this requirement, Willis surmised it was due to misplaced confidence in the abilities of existing 2-factor authentication approaches. "I recently spoke with an analyst with the State of Nebraska's banking regulatory department", Willis noted, "who was firmly convinced that hardware tokens were heaven's gift to the banking industry. He just couldn't seem to grasp that hardware tokens authenticate users, not Websites."

In a recent Washington Post story, Gartner Research fraud analyst, Avivah Litan agreed, deriding hardware-tokens and similar authentication methods as little more than a "placebo effect" offered to users who want to feel more secure while providing little in the way of actual anti-phishing protection.

In a March interview, noted author and IT security expert Bruce Schneier explained that existing two-factor authentication solutions were designed for a bygone era, "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago. It's not going to prevent identity theft," he warns. "It's not going to secure online accounts from fraudulent transactions." Schneier recently issued an even more dismal prediction. "I predict that banks and other financial institutions will spend millions fitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

So what is the solution?

Perhaps the FFIEC had the answer all along. The FFIEC noted in their October 12 Guidance Letter that the failure of financial institutions to implement website authentication was a reason for the current problem of phishing, stating: "Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites."

This echoes earlier FDIC reports in which the FDIC identified a lack of "website authentication" as a root cause for the phishing problem.

"Website authentication is the answer," agrees Willis. "When website authentication is combined with strong two-factor authentication, as is the case with Sestus Data Corporation's PhishCops™ product, phishing can be effectively eliminated."

PhishCops™ by Sestus Data Corporation does meet both of the FFIEC's recommendations, combining a "virtual," or hardware-free two-factor token process, with government-approved Website authentication to address phishing, in a single integrated solution.

Sestus Data Corporation reports PhishCops™ was designed from its inception in accordance with FDIC and FFIEC regulatory requirements and the U.S. government recently named PhishCops™ a semi-finalist for the 2005 Homeland Security Award.

PhishCops™ authentication methods also appear to be stronger than those used by most hardware-based token vendors. The National Institute of Standards and Technology, a government standards body, has recently called for all regulatory agencies and commercial security firms to migrate their technologies away from the aging SHA-1 OATH standard used by most hardware-based token vendors, to the newer SHA-256 standard (which is used by PhishCops™) by 2010.

A live demo, white paper, and additional information can be found on the PhishCops™ homepage: http://www.phishcops.com.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact
Sestus Data Corporation
866-621-1885
Email >