Proposed FFIEC Changes Mean Improved Prevention
0 comment(s)
As many of you probably know, the FFIEC has drafted and is ready to unveil their guidance on ‘Authentication in an Internet Banking Environment’. It is my understanding that the focus for improvement (albeit closely aligned to the recommendations made in 2005) relates to 5 key areas for enhancing online security. One area I want to address is the possible requirement for financial institutions to incorporate ‘layered security’ controls to better detect and respond to suspicious or anomalous activity.
Having worked for many years in financial fraud investigations, I saw the emergence and growth of internet/online banking, as well as the a rise of ACH fraud, wire fraud, identity theft and new fraud attacks, such as malware, man in the middle, phishing, spoofing and their many variants. I also had to deal constantly with customers’ perceptions that the bank was not doing enough to protect their money and identity. So I know first-hand the current frustration in the industry over which party is responsible for losses. I also know first-hand that layered security can work.
Many institutions surprisingly still base fraud prevention efforts solely on some form of front end authentication. Given the rash of successful ACH and Wire attacks we’ve seen in the past, these defenses are simply not enough. If you remain unconvinced, I encourage you to read the legal filings in the EMI and Comerica lawsuit or look at headlines such as the recent article on Krebs On Security. Without a layered security approach, front end authentication will always remain susceptible to compromise. I think Brian Krebs sums up the need for a layered security approach well. “All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile.”
A layered security approach creates a partnership between the account holder and the financial institution to stop fraud. Everything possible should be done to secure the customer and authenticate that person when using online banking applications. However, given the sophistication of today’s fraudsters, strong measures should also be implemented on the back end (i.e., at the payments layer) to make sure payment and other activity is consistent with the profile of the account. By focusing on solutions that incorporate a layered security approach, (ex. incorporating transactional and behavioral analysis and looking at customer activities to identify suspicious patterns) financial institutions can better identify, prevent, mitigate and control the emerging fraud risk.
I do find it reassuring that some institutions have been proactive in seeking ways to better protect their customers without a formal regulation. They are incorporating layered security, frequently reassessing product risk for new and existing product offerings and communicating best practices to customers. As a former investigator, I hope the new FFIEC guidance makes this the norm instead of the exception.
Attending BAI Payments Connect next week? Drop by Memento’s booth to continue the discussion on the advantages of layered security.
Posted in:
ACH and Wire Fraud