FFIEC Customer Authentication Guidance: Authentication in an Internet Banking Environment About the Speaker Matthew Clohessy, CPA, CIA, has six and a half years of experience as an internal auditor at midsized commercial banking institutions where he specializes in evaluating internal controls over electronic banking delivery channels, retail and commercial banking operations, loss prevention and consumer banking regulatory compliance. Prior to his career in internal auditing, Mr. Clohessy was a network administrator for a small company in the office design industry for four years, where he was responsible for the operation, security and maintenance of the company’s IT infrastructure. Discussion Topics • Overview of the FFIEC • Evolution of the guidance • Evolving cybercrime fraud landscape • Objectives of the guidance • Layered security approach • Risk assessments • Recent court cases • New FFIEC working group Overview of the FFIEC The Federal Financial Institutions Examination Council (FFIEC) is an interagency body which promotes uniformity and consistency in the supervision of financial institutions through establishing uniform principles, standards and report forms for financial institution regulatory agencies. Regulatory Agencies: • Board of Governors of the Federal Reserve System (FRB); • Federal Deposit Insurance Corporation (FDIC); • National Credit Union Administration (NCUA); • Office of the Comptroller of the Currency (OCC); and • Consumer Financial Protection Bureau (CFPB) (Joined July 2011) Evolution of the Guidance The “Authentication Guidance” issued by the FFIEC continues to evolve as new technologies emerge and as changes occur in the fraud environment that financial institutions are faced with: • August 2001: Authentication in an Electronic Banking Environment • October 2005: Authentication in an Internet Banking Environment (Replaced 2001 Guidance) • June 2011: Supplement to Authentication in an Internet Banking Environment The “2001 Guidance” focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services The “2005 Guidance” replaced the 2001 Guidance and provided a risk management framework for financial institutions offering Internet based products and services to their customers. The “2011 Supplement” reinforced the 2005 Guidance’s risk management framework and updated the Agencies’ expectations regarding customer authentication, layered security, or other controls. Evolving Cybercrime Landscape • Organized crime rings with significant financial backing • Cyber criminals are utilizing malware designed specifically to collect user ids/passwords from infected devices (eg. Zeus/Zbot, Clampi/llomo, SpyEye) • Increased sophistication of attacks • Cross-channel fraud – Utilizing a combination of Web, Telephone and/or other electronic channels to execute fraudulent transactions. • Layered assaults – Utilizing DDoS immediately after perpetrating fraud to prevent customers from accessing their accounts/identifying fraudulent transactions before they clear. Objectives of the Guidance The FFIEC’s Authentication Guidance provides a set of guidelines for financial institutions on establishing a risk based control environment to prevent losses as a result of external fraud. The guidance focuses on implementing a layered security approach and executing periodic risk assessments to establish a commercially reasonable control environment for electronic financial services. Layered Security Approach “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security..” (2011 Supplemental guidance) A Layered Security approach relies upon different controls at different points of the transaction and consists a combination of the following elements to reduce the risks associated with high risk online activities: • Multi-Factor Authentication • Effective Layered Controls Multi-Factor Authentication Multi-Factor Authentication consists of having more than one of the following “Factors”: • Something the user knows (e.g., password, PIN); • Something the user has(e.g., ATM card, smart card); and • Something the user is (e.g., biometric characteristic, such as a fingerprint) Multi-Factor Authentication Examples Authentication Requirements Considered Multi Factor Authentication Explanation User ID and password No User ID and password are both "knowledge" factors Website login ID/password and user login ID/password No "Layers" of the same factor does not constitute multi-factor authentication Yes Contains "knows" factors (User ID and Password) and "has" factors (hardware token generated code) User ID, password and hardware token generated verification code Effective Layered Controls Multi-Factor Authentication may not be considered a strong enough control by itself for high risk transactions (eg. high dollar wire transactions) or practical to implement (eg. retail web banking customers). As such, implementing additional controls is critical to establishing an effective layered control environment. Examples of layered controls: • fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response; • the use of dual customer authorization through different access devices; • the use of out of band verification for transactions; • the use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account • enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g.,days and times); • internet protocol (IP) reputation based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities; • policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud; • enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and • enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk. Establishing Effective Layered Controls A well designed control framework does not always mean that effective controls are in place: Effective authentication should have customer acceptance, reliable performance (with formally established policies and procedures), scalability to accommodate growth, interoperability with existing systems and future plan. Effective Layered controls must have quality substance, not just the form of a control. Challenge questions that are overused, or publically obtainable knowledge are not considered effective (eg. mother’s maiden name, high school the customer graduated from, year of graduation from college, etc). Utilization of sophisticated “out-of-wallet” questions along with “red herring” questions is considered effective. Simple device identification (cookie based) and geolocation can be circumvented through the use of copying cookie files and proxies. Use of “one time” cookies and more complex digital fingerprints are considered to be effective tools. Risk Assessments • Should be executed at least every twelve months and prior to implementing new electronic financial services. • The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions. • Should incorporate elements such as: • Changes to internal and external threat environment • Changes to customer base • Changes in customer functionality offered through electronic banking • Volume of incidents (security breaches, compromised accounts, fraud events) experienced by the institution and the industry. • Risk assessments should consider cross-channel fraud risks and highlight areas where a siloed assessment would define activity as “low risk”, but may provide additional information needed to authenticate or otherwise gain access through other channels and perform high risk activities. Recent Court Cases FFIEC Guidance Tests Case Experi-Metal Inc. vs. Comerica Bank PATCO Construction Inc. vs. People's United Bank Choice Escrow vs BancorpSouth UCC 4A Tests Commercially Procedures found to Bank's acceptance of Reasonable Procedures be implemented in authorization performed in (Layered Controls) good faith good faith Current ruling Not Challenged* Not Challenged* No Against the bank Yes No Not Challenged Against the bank Yes Yes Not Challenged** In favor of the bank *FFIEC Elements were not challenged in the Experi-Metal Inc. vs. Comerica Bank as the customer and bank had an agreement noting that the security procedures that were applied were commercially reasonable. **Evidence was raised indicating that Choice Escrow's computer systems were hacked into, but no arguments were made surrounding UCC 4A implications for customer authorization of the transaction / unauthorized access to customer transmission facilities. New FFIEC Working Group June 6, 2013: FFIEC Forms Cybersecurity and Critical Infrastructure Working Group Objective of the working group is to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues such as the growing sophistication and volume of cyber attacks and the global importance of critical financial infrastructure. - Changes/updates to authentication guidance forthcoming from this committee? Questions?