Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Security Views : Compliance Tech Center

FFIEC Goes Beyond Traditional Authentication

The FFIEC recommends that organizations provide additional business and fraud detection controls to offset weaknesses in authentication technology

Oct 18, 2011 | 07:02 PM | 

By Richard E. Mackey, Jr.
Dark Reading

The FFIEC's recommendations for layered protection include mechanisms other than authentication to detect and prevent fraud. It is important to use information about customer location and behavior as an aid in detecting fraud.

In my previous post, I provided an overview of the supplement to the Authentication in an Internet Banking Environment guidance.

The FFIEC authentication supplement gives specific examples of fraud detection and monitoring systems that financial institutions should consider. It recommends monitoring customer transaction history and behavior. For example, it might be a sign of fraud when a customer who has never transferred funds to an nonaffiliated account does so for the first time. Address changes, changes to banking instructions for funds, and changes to beneficiaries are other important activities that should be verified through multiple contact methods.

The guidance also suggests institutions use multiple communication channels for confirmation of important transactions. For example, confirming password changes by email, telephone, and/or surface mail can provide more reliable authentication and might help to expose fraud attempts to customers. Another effective technique for preventing fraud is to require waiting periods after important account modifications, like address changes and banking instructions. While not foolproof, this approach provides more of an opportunity for customers to play a part in recognizing fraudulent activity.

The use of multiple layers of security is nothing new in the financial industry. Almost all of these methods are commonly implemented in mutual-fund companies and banks. In fact, any organization that extends credit (even the car dealership down the street) is supposed to be on the lookout for activities that would suggest that identity has been stolen and someone is attempting to perpetrate fraud.

The FTC’s Red Flag Rules require organizations to have controls in place to detect apparently fraudulent activities. Examples of “red flags” include mismatches of personal identifying information, incorrect signatures, mismatched addresses, and use of known stolen identities. The use of such nontechnical information is not just a suggestion -- it’s a requirement.

All organizations, whether they are financial institutions, merchants, or health care companies, should consider the types of activities that might signal identity theft, fraud, and misuse of accounts as components of their security control arsenal.

Richard Mackey is vice president of consulting at SystemExperts Corp.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Compliance Reports

report How To Boost Security Via FFIEC Compliance
With just a smartphone, users can conduct nearly all their banking business at any time of the day or night. However, all this flexibility and convenience opens up new avenues for fraud and cybercrime. Guidelines laid out by the FFIEC several years ago predate many of the capabilities-and vulnerabilities-that are in place today. In this report, we examine the latest guidelines and provide advice on how you can extend the work done to comply with FFIEC guidelines to strengthen your organization's overall security posture and keep customers and their data safe.

report Keeping Compliance In Check
Configuration mistakes, access control gaffes, poor documentation--it doesn?t take much for a compliance audit to go all wrong. In this special retrospective of recent news coverage, Dark Reading takes a look at the costs, common missteps and best practices for compliance, as well as the day the Internet nearly went dark due to the threat of new regulations.

report FISMA Lifts All Compliance Boats
FISMA may not be on your radar now, but it likely will be at some point. Geared specifically toward the federal government and its affiliate agencies and third parties, FISMA is a very specific set of requirements aimed at establishing and maintaining at least a baseline level of computer and network security. FISMA requires unique categorization and classification of information assets, not to mention a boatload of documentation to prove compliance. But once your organization achieves FISMA compliance, it will likely be compliant with just about every security mandate out there.

Other reports from the Compliance Tech Center:

Related Content

Log Management in 2012 and Beyond
2012 brings interesting changes to the log management world. Now, more than ever, it is critical to understand the impact to your log infrastructure and the solutions that will better prepare you to manage your security posture.

SANS Log Management Survey Report
Organizations are increasingly dependent on log management to support core business functions, including cost management, service level and line-of-business application monitoring, as well as traditional IT- and security-focused activities.

Cut the Time and Effort of Troubleshooting and Reporting
Organizations generate millions of logs a day and struggle with centralized collection, storage and analysis of those logs. ArcSight Logger is a universal log management solution that unifies searching, reporting, alerting and analysis across any type of IT data. It consolidates silos of logs into a single indexed repository for fast detection and mitigation of operational issues.

Get Turnkey and Automated PCI Compliance
PCI compliance monitoring is seamless with the self-contained ArcSight PCI Logger solution for log collection, storage and analysis. No database administration expertise is required and a web-based interface simplifies deployment and ongoing management.

Swiss Bank Meets Compliance Requirements and Protects Customer Data
Due to long-term data retention requirements, Swiss bank EFG needed a cost-effective way to collect, secure and store audit-quality log data in an easily accessible log repository. ArcSight Logger helps EFG meet key requirements of Switzerland?s banking laws fast and cost-effectively.




Featured Webcasts
Featured Whitepapers
Featured Reports