FFIEC Authentication Guidance Requires Smarter Device Identification for Banking Compliance

Share Article

Long-Awaited Supplement Cites the Need for Complex Device Identification and a Layered Security Approach for Banking Compliance to Combat Fraud

News Image

ThreatMetrix™, the fastest growing provider of cloud-based fraud prevention solutions that do not require personally identifiable information (PII), today endorsed requirements for smarter device identification and a layered security approach for banking compliance in the new authentication guidelines recently issued by the Federal Financial Institutions Examination Council (FFIEC). Outlined in a document, “Supplement to Authentication in an Internet Banking Environment,” these guidelines aim to help financial institutions take strong safeguards against online fraud.

The new guidelines, which will take effect January 2012, serve as a supplement to the FFIEC’s “Authentication in an Internet Banking Environment,” that was first issued in October, 2005. At that time, first generation device identification technologies were implemented to meet new multi-factor and risk-based customer authentication requirements. This was based on the relative cost advantages and consumer convenience of using browser cookies and attributes as an additional authentication factor.

Six years later, cybercriminals, Trojans, botnets, and foreign government-sponsored fraud and espionage have evolved to such a degree that they can now decommission nuclear reactors, take governments and militaries offline, and steal billions in online consumer transactions. Likewise, many online bank accounts are still only protected by little more than a password and perhaps a cookie or IP address filter.

Topics Addressed in the New FFIEC Guidelines

The FFIEC authentication guidance specifically takes aim at banks that have cut corners and not kept up with the latest cookieless device identification technologies. Such technologies overcome the weaknesses associated with deleting or copying cookies or the use of compromised computers to spoof IP addresses and steal passwords.

The FFIEC guidance, which says in part, “…Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique...” also advises against simple challenge and response questions that rely on personal information, which is easily discovered.

“In anticipation of the new FFIEC guidance, ThreatMetrix has integrated advanced device identification capabilities into our products,” said Reed Taussig, president and CEO, ThreatMetrix. “ThreatMetrix customers can rest assured that they will receive a cost-effective and efficient platform that is in compliance with these new FFIEC guidelines in the area of advanced device identification. We wanted to take the guesswork out of determining whether or not our customers meet the new standards with respect to strong device identification. Using new rules available in the ThreatMetrix editor, our customers can now set all the required conditions to satisfy the FFIEC guidance in a matter of minutes with no additional cost or operational overhead.”

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform provides financial institutions with smarter device identification and contextual risk scoring that complies with the specific layered customer authentication security program recommendations made by the FFIEC.

“Complex device identification is a key component of a layered security program, and was ranked among the most effective online fraud prevention technologies in a recent Aite Group survey of card security executives,” said Julie Conroy McNelley, senior analyst, retail banking practice, Aite Group.
Features of the ThreatMetrix Cloud-Based Fraud Prevention Platform

  •     Complex Device Identification: ThreatMetrix is the recognized gold standard for real-time device identification based on more than 150 browser and packet fingerprint attributes correlated across a global network. Unlike simple device identification techniques that rely on cookies for recognizing previously profiled computers, ThreatMetrix provides a complete analysis of a device’s browser and packet fingerprint during account origination, login and money transfers.
  •     Advanced Proxy Detection and Piercing: Unlike proxy IP lists that cannot detect hidden proxies and botnets, ThreatMetrix instantly pierces proxies to identify the true location of a fraudster.
  •     Identification of Compromised Computers: ThreatMetrix provides evidence-based compromised device and bot intelligence in real-time so an organization can make the appropriate decision to block, challenge, or review the attempted transaction.
  •     Detection of Fraud Rings: ThreatMetrix link analysis and automated behavior detection detects related accounts and transactions that otherwise go undetected.
  •     Automated and Manual Transaction Monitoring and Anomaly Detection at Both Login and Transaction Authentication: ThreatMetrix provides real-time contextual scoring based on device, customer and transaction attributes and historic analysis across all online transactions through a customer configurable policy engine. Alerts and transactions can be reviewed and analyzed in a powerful, intuitive and secure portal.
  •     Global Fraud Network Based on Device Transaction Intelligence: ThreatMetrix goes beyond inaccurate IP reputation to provide proactive protection based on collective intelligence of good and bad device interactions across its global network, without requiring extensive manual review.    

Additional Resources

About ThreatMetrix

ThreatMetrix helps companies stop web fraud and accelerate e-commerce in real-time so they can significantly reduce online fraud, acquire more customers faster, reduce costs, and increase customer satisfaction. The ThreatMetrix™ Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticaticating user logins in real-time. Online businesses can deploy the ThreatMetrix Cloud-Based Fraud Prevention Platform, which does not rely on personally identifiable information (PII), for traditional online activity via a personal computer as well as for mobile and tablet devices. The company serves a rapidly growing customer base around the world across a variety of industries including social networks (dating, gaming), financial services, e-commerce, affiliate marketing and payments. For more information, visit http://www.threatmetrix.com or call 1-650-625-1451.

© 2011 ThreatMetrix. All rights reserved. ThreatMetrix, the ThreatMetrix Cloud-Based Fraud Prevention Platform, ThreatMetrix SmartID, ThreatMetrix ExactID, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Lauren Eichmann
Walker Sands Communications
312-265-3089
Email >

Dan Rampe
ThreatMetrix
650-417-6122
Email >
Visit website