Author Box
Articles Categories
All Categories
Articles Resources

FFIEC Authentication Guidance Update: The Need for Out Of Band Authentication

January 05, 2012 | Comments: 0 | Views: 124

The Federal Financial Institutions Examinations Council's (FFIEC) guidance for financial institutions, which was first issued in 2005, supports the use of strong authentication processes to protect the identities of customer identities and information during transactions that occurred online.

The FFIEC revisited these guidelines and addresses several areas because of the increasing number of identity fraud cases, phishing attacks, malware and man in the middle attacks. The FFIEC authentication guidance update addresses evaluating better risk assessment, adopting stronger authentication standards, using layered security, advanced authentication techniques and providing technology guidance for compliance.

Much of the focus of the FFIEC guidance update is regarding adoption of strong authentication for consumers and commercial banking. Financial institutions need to provide solutions and offer advice to the customers they service in addition to enhancing their online security measures.

The most effective strategy for detecting and preventing banking fraud schemes is to implement the use of layered security. "Layered security," as defined by the FFIEC is "the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control." Multiple layers of security have been proven to prevent identity attacks. If one security layer fails, the other layer of security is in place to prevent fraud attacks. Layered security options include out of band authentication and advanced transaction verification.

As financial institutions analyze online risks, they need to consider mobile devices as an effective layer for out of band authentication. Financial institutions aren't doing enough when it comes to using mobile devices as an out of band layers for additional authentication. Most financial institutions are not flexible enough to respond to fraudulent attacks because they have the fraud detection technologies, but they can't respond to these attacks fast enough to stop them.

The majority of financial institutions rely on risk controls and fraudulent detection technologies that don't prevent or stop the new kind of attacks. Their security programs are not strong enough to combat these fraud attacks and they need to be building risk and security programs that aid fraud departments. These financial institutions also need to be dedicating budgets to quickly respond to these new kinds of attacks when they're detected to minimize their losses. It's not so much that the technology is a problem, but rather the minimal budgeting financial institutions have to combat these attacks.

Many of today's financial institutions are relying on weak multi factor authentication such as a combination of usernames/passwords and some form of knowledge based authentication such as a question and answer or using a pin number. The FFIEC guidance has a stance on single factor authentication and many online fraud and identity attacks are the result of single factor authentication or weak multi factor authentication.

The FFEIC guidance and recommendations addresses better risk assessments, adopting stronger authentication standards, pushing towards multiple layers of security, exploring advanced authentication techniques and providing technology guidance for compliance.

Driving better risk assessments for financial institutions requires a better understanding of the new attacks and how to respond to them in a timely matter. This includes guidance for regular reviews of the internal systems of banks and the ability of these systems to detect and deal with fraudulent attacks.

Adopting stronger authentication standards is a must with the new types of attacks. User names and passwords aren't enough to protect customers and neither are weak forms of multi factor authentication. Today's attacks require stronger means of authentication especially for the high risk transactions such as wire transfers and ACH transactions. A way to adopt stronger authentication is to implement out of band authentication with a mobile device to prevent fraud attacks.

Multiple layers of security are a proven way to prevent fraud attacks which include malware. If one security layer fails, another layer can prevent the fraudulent attack. Security such as out of band authentication and advanced transaction verification can be very effective forms of multiple security layers.

Authentication technology needs to evolve and stay innovative as fraudulent attacks increase in sophistication. Financial institutions can implement mobile devices with out of band authentication and use stronger challenge questions as an example.

Providing technology guidance is a focus of the FFEIC and they provide instruction on technology and solutions such as fraud detection platforms. Other solutions also include fraud transaction monitoring and/or anomaly detection software.

Financial institutions can increase their security and at the same time keep their costs low by implementing out of band authentication solutions. Out of band authentication can be cost effective and a user friendly option since existing devices are already owned by users. This eliminates the high costs of implementing or deploying additional devices. By using a different medium such as a mobile device, smart phone, tablet, email, or SMS, an independent authentication can be delivered to users.

In using an out of band authentication, a customer can enter a one time password when prompted during an online session and the password can be sent through a mobile device. Without using the out of band authentication network (customer's mobile phone), a transaction cannot be completed and a message can be sent to the customer that an attempt to access an online session was not complete. Out of band authentication is a highly effective technology and can prevent fraud attacks.

Most authentication methods can be comprised by phishing attacks and the focusing needs to be on authenticating transactions to prevent fraud attacks. Financial institutions need to have filters in place for any and all transactions. There is always a risk for fraud, but managing the risk by implanting out of band authentication can help lower these risks dramatically.

Many financial institutions consider out of band authentication a crucial part of preventing fraud, but some institutions find that customers may find using out of band authentication too difficult to implement with their users. The effectiveness of out of band authentication must be balanced with usability so that integration is not an issue for institutions or their customers. When the risk is higher than the cost to implement a security measure, it's worth it for a financial institution to implement security like out of band authentication to prevent attacks and to protect their customers.

Adam is an authentication specialist who focuses on government regulatory compliance. He believes out-of-band authentication through a SMS one time password can securely identify a user and protect against banking fraud or fraudulent access to confidential financial information.

Source: EzineArticles
Was this Helpful ?

Rate this Article

Article Tags:

Ffiec Authentication Guidance


Layered Security


Out Of Band Authentication


Strong Authentication



Thus, you can apply for the negligence compensation under such circumstances in order to recover your loss, Negligence Claims, Negligence compensation Involvedness of Negligence Claims. The court

By: Simon Liva l Legal > Personal Injury l December 13, 2012 lViews: 292

If a lawyer is not able to devote enough time to your case then your defense is likely to suffer. Moreover specialization in one stream or other of defense is important so that the attorney can

By: Simon Liva l Legal > Criminal Law l December 12, 2012 lViews: 429

Filing a business bankruptcy can be a complex and critical task, but you have several options. You can consult your bankruptcy attorney to know which among those options is right for you.This is a

By: Harvard McIntosh l Legal > Corporations LLC l December 11, 2012 lViews: 235

You can always check for the treatments that are covered. This is because there are some policies which do not give you claims if you meet any kind of head injury.You can always check for the

By: Simon Liva l Legal > Personal Injury l November 05, 2012 lViews: 241

In Colorado, you have many Personal Injury Lawyers to choose from. When you choose the Law Offices of Andrew C. Bubb you instantly put years of experience and legal know how in your corner. Attorney

By: Dilshad l Legal > Personal Injury l October 25, 2012 lViews: 390

If you have been charged with a crime, speak with Boulder criminal defense attorney Steven Louth immediately to protect your rights. Steven Louth is a criminal defense attorney and criminal trial

By: Dilshad l Legal > Personal Injury l October 18, 2012 lViews: 244

With an increasing prevalence of crimes recently, we are no longer assured of our safety. As a response, lots of government campaigns try to educate every citizen. They want their people to be

By: Cori Bakerl Legal > Regulatory Compliancel June 07, 2012 lViews: 242

There is something that all businesses have in common and that is the fact that they have to deal with documents on a regular basis. Some of them are able to deal with those documents successfully

By: Joan Dye Lindseyl Legal > Regulatory Compliancel May 18, 2012 lViews: 187

Timing is everything when you are taking your company public, or when your government agency is asking for more congressional budget money. Yes, if we all had perfect timing, we'd all be

By: Lance Winslowl Legal > Regulatory Compliancel May 11, 2012 lViews: 154

Spill kits are essential in cleaning up a chemical or similarly-hazardous substance. Here are the basic ways in which these kits are used.

By: Irene Testl Legal > Regulatory Compliancel May 01, 2012 lViews: 201

If a chemical spills in a laboratory, procedures involving a spill kit must start immediately. Here are some of the steps for using a spill kit.

By: Irene Testl Legal > Regulatory Compliancel May 01, 2012 lViews: 176

Absorbents are part of every spill kit. Here are the common types found in many kits.

By: Irene Testl Legal > Regulatory Compliancel May 01, 2012 lViews: 179 has not only become the largest online bookstore, but is also a multinational ecommerce company. The company has been spreading its reach like branches of a river while supplying goods to

By: Adam Quartl Legal > Identity Theftl January 26, 2012 lViews: 129

Although the Health Insurance Portability and Accountability Act was created in 1996 it was not always meant to secure the privacy of electronic health records. Originally HIPAA was created for paper

By: Adam Quartl Legal > Regulatory Compliancel January 03, 2012 lViews: 155