PhoneFactor Offers Response To FFIEC Guidance

Updated guidance identified emerging trends like biometrics and the use of dual controls

July 12, 2011

2 Min Read


June 28, 2011 – The much-anticipated update to the FFIEC Guidance on “Authentication in an Internet Banking Environment” was released today, and PhoneFactor’s industry-leading out-of-band authentication services enable banks to meet new recommendations for layered security and stronger authentication.

“The 2005 FFIEC Guidance pushed financial institutions to take important steps to protect their customers, but as threats have evolved, some financial institutions have failed to update their control mechanisms accordingly,” said Tim Sutton, PhoneFactor CEO and co-founder. “As a result, many of the security measures in place today are outdated and ineffective.”

In response to today’s top threats, such as man-in-the-middle and keylogging, which were highlighted in the update, the FFIEC introduces the concept of layered security. The layered approach recommended by the FFIEC extends security controls beyond the initial login to include online banking transactions and administrative functions. The use of out-of-band verification for transactions was recommended as an effective control against these attacks.

In addition, the update calls for an overall strengthening of authentication technologies. According to the updated guidance, out-of-band authentication has taken on a new level of importance given the preponderance of malware on customer PCs, which can defeat OTP tokens, device identification, challenge questions, and many other forms of strong authentication. In particular, closed loop methods that complete the authentication in the out-of-band channel are seen as offering a greater level of security.

PhoneFactor enables banks to meet these requirements by authenticating online banking logins and verifying funds transfers, such as ACH, wire transfers, etc., through a completely out-of-band process using any ordinary phone. PhoneFactor works by placing an automated phone call or sending a text message to the user in real-time. Transaction details like amount and destination account can be played during the call or sent in the text message. The user simply enters # (or a PIN) into the phone keypad or replies to a text message to approve legitimate logins and transactions. PhoneFactor can also be used to verify administrative functions, such as the creation of new payees, user changes, and payroll modifications.

In addition, the updated Guidance identified emerging trends like biometrics and the use of dual controls, which PhoneFactor offers as well.

“The updated FFIEC Guidance presents a view of the current threat landscape and the security controls that are successful in preventing online banking fraud today,” said Sutton. “These changes, particularly transaction-level security and out-of-band authentication, set a new standard for banks and financial institutions and will substantially impact the way they approach online banking security going forward.”

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights