Blog article
See all stories »

Strong authentication absent in new FFIEC guidelines

Yesterday the US banking regulator, the Federal Financial Institutions Examination Council (FFIEC), set out its expectations to improve internet banking authentication standards. While the FFIEC calls for, amongst other measures, layered security and more sophisticated one-time cookies where device identification is used, there is notably no mention of strong authentication in their new document.

 

Strong authentication is already widely implemented in the UK and Scandinavia through the use of tokens and various devices to support card-not-present transactions such as Mastercard's EMV-CAP card readers.

 

In the past internet banking in the US has generally not made use of strong authentication, which might explain the term's absence in the FFIEC's document, but its use has proven highly effective in other geographies.

 

Banks recognise that not all customers find using tokens convenient. However, mobile-based tokens or out-of-band verification could be a solution as a practical means of providing strong authentication without the need for users to carry tokens or card readers.

 

Overall the new guidelines are disappointing. While they do contain some good direction on the use of ‘challenge questions' for example, they focus too much on good practice for security measures used by banks today rather than on measures that might dramatically improve online banking security.

 

 

5263

Comments: (6)

A Finextra member
A Finextra member 01 July, 2011, 14:12Be the first to give this comment the thumbs up 0 likes

"Banks recognise that not all customers find using tokens convenient."

They don't seem to be doing much about it do they?... 

Online Banking Card Readers: no more room in the suitcase

In addition, how do you think FFIEC now view the security STRENGTH of tokens in light of the RSA breach ? Personally I can't see how 'guidelines' can really work in today's turbulent times for the banking sector - hence, I tend to concur.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 04 July, 2011, 12:35Be the first to give this comment the thumbs up 0 likes

More than five years after the release of the first set of FFIEC guidelines - which did mandate strong two-factor authentication - there are literally thousands of non-complying banks in the USA, as can be witnessed by the long list of banks that can be linked to Mint because they don't support 2FA. By keeping silent about strong authentication now, FFIEC seems to have decided not to bother coming up with guidelines that are observed more in the breach. 

Nick Collin
Nick Collin - Collin Consulting Ltd - London 06 July, 2011, 10:47Be the first to give this comment the thumbs up 0 likes

Completely agree with you Steve - strong two-factor authentication based on something I own and something I know must surely be the standard for all remote financial transactions.  There's a lively discussion going on on this subject at http://lnkd.in/_Pxvpy if you're interested.

A Finextra member
A Finextra member 06 July, 2011, 12:02Be the first to give this comment the thumbs up 0 likes

Thanks for pointing me to that link Nick.  Off the topic of this post, but I would also like to see my CAP/DPA reader and card securing my 3-D secure on-line transaction. It's completely technically possible as (if I remember correctly) CAP is already part of the 3-D secure stack. However, we are unlikely to see it implemented for fear of it discouraging shopping on sites that use it. Meanwhile, as you point out, on-line shoppers are voting with their feet and migrating to other on-line payments that are perceived to be more secure.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 July, 2011, 14:27Be the first to give this comment the thumbs up 0 likes

@Steve B: 

"...on-line shoppers are voting with their feet and migrating to other on-line payments that are perceived to be more secure".

In the USA, which is where FFIEC is applicable, I'm a bit curious to know more about such alternatives, their market shares and the basis of the "fear of it discouraging shopping on sites that use it".

A Finextra member
A Finextra member 06 July, 2011, 14:56Be the first to give this comment the thumbs up 0 likes

This is all off-topic from the original post. However...

If you follow Nick's link, he has some good stats on how PayPal is growing its share of on line shopping payments. So PayPal is the most prominent alternative.

The argument put forward about putting anything extra between selecting goods and making the payment is that it may discourage shoppers from completing their purchase and they may visit another site instead that does not have extra steps to get their goods. Adding CAP readers to authenticate a payment falls into this category.  I am not supporting or refuting this argument here, merely replaying it for you.