I. INTRODUCTION
The Federal Financial Institutions Examination Council (FFIEC) has issued a supplement to the Authentication in an Internet Banking Environment Guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original Guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.
The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Customers and financial institutions have experienced substantial losses from online account takeovers. Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions’ electronic agreements and transactions.
While the Guidance does not endorse any particular technology, it specifically addresses the need for risk-based assessment, customer awareness, and financial institutions’ implementation of appropriate risk mitigation strategies, including security measures to reliably authenticate customers accessing their financial institutions’ Internet-based services.
The main portion of the Guidance provides financial institutions with guidance on general supervisory expectations, which emphasizes that financial institutions should not rely on any one authentication method or security technique in authorizing high-risk transactions, but rather institute a system of layered security. The section on specific supervisory expectations reiterates previous guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate.
Earlier versions of the guidance recommended that institutions consider offering multifactor authentication to consumers and should implement multifactor authentication and layered security for covered business transactions. These recommendations have been removed from the Guidance, instead re-emphasizing the need for multiple layers of security.
The Guidance addresses the effectiveness of certain authentication techniques, and notes that institutions should no longer consider simple device authentication or challenge questions as effective control mechanisms. The Guidance recommends that institutions utilize more complex forms of these authentication techniques. The Guidance also stresses the importance of customer awareness and education.
II. GENERAL SUPERVISORY EXPECTATIONS
The concept of customer authentication, as described in the 2005 Guidance, is broad. It includes more than the initial authentication of the customer when he/she connects to the financial institution at login. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security, as described herein.
III. SPECIFIC SUPERVISORY EXPECTATIONS
A. Risk Assessments
The Agencies reiterate and stress the expectation described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers’ online accounts. Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:
B. Customer Authentication for High-Risk Transactions
The 2005 Guidance’s definition of “high-risk transactions” remains unchanged (i.e., electronic transactions involving access to customer information or the movement of funds to other parties). The Agencies believe that it is prudent to recognize and address the fact that not every online transaction poses the same level of risk. Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases.
1. Retail/Consumer Banking
Online consumer transactions generally involve accessing account information, bill payment, intrabank funds transfers, and occasional interbank funds transfers or wire transfers. Since the frequency and dollar amounts of these transactions are generally lower than commercial transactions, they pose a comparatively lower level of risk. Financial institutions should implement layered security, as described herein, consistent with the risk for covered consumer transactions.
2. Business/Commercial Banking
Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer. Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multifactor authentication to their business customers.
C. Layered Security Programs
Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Layered security can substantially strengthen the overall security of Internet-based services and be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses. Financial institutions should implement a layered approach to security for high-risk Internet-based systems.
Effective controls that may be included in a layered security program include, but are not limited to:
The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum:
1. Detect and Respond to Suspicious Activity
Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to:
2. Control of Administrative Functions
For business accounts, layered security should include enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as setting access privileges and application configurations and/or limitations. These enhanced controls should exceed the controls applicable to routine business customer users. For example, a preventive control could include requiring an additional authentication routine or a transaction verification routine prior to final implementation of the access or application changes. An example of a detective control could include a transaction verification notice immediately following implementation of the submitted access or application changes. As discussed in the Appendix, out-of-band authentication, verification, or alerting can be effective controls.
D. Effectiveness of Certain Authentication Techniques
1. Device Identification
In response to the 2005 Guidance, many financial institutions implemented simple device identification. This typically uses a cookie loaded on the customer’s PC to confirm that it is the same PC that was enrolled by the customer and matches the logon ID and password that is being provided. However, experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching.
Simple device identification as described above can be distinguished from a more sophisticated form of this technique which uses “one-time” cookies and creates a more complex digital “fingerprint” by looking at a number of characteristics including PC configuration, Internet protocol address, geo-location, and other factors. Although no device authentication method can mitigate all threats, the Agencies consider complex device identification to be more secure and preferable to simple device identification. Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.
2. Challenge Questions
Many institutions use challenge questions as a backup in the event that the primary logon authentication technique becomes inoperable or presents an unexpected characteristic. The provision of correct responses to challenge questions can also be used to re-authenticate the customer or verify a specific transaction subsequent to the initial logon. Similar to device identification, challenge questions can be implemented in a variety of ways that impact their effectiveness as an authentication tool. In its basic form, the user is presented with one or more simple questions from a list that was first presented to the customer when they originally enrolled in the online banking system. These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information about the customer (e.g., mother’s maiden name, high school the customer graduated from, year of graduation from college, etc.). In view of the amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social networking websites, institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique.
Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly. Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a “red herring” question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical. The Agencies have also found that the number of challenge questions employed has a significant impact on the effectiveness of this control. Solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective. Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program.
3. Customer Awareness and Education
A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:
The Appendix contains an additional discussion of online threats and control methods.
Appendix
Threat Landscape and Compensating Controls
Threats
As noted previously in this Supplement, the Agencies are concerned that fraudsters are utilizing increasingly sophisticated and malicious techniques to thwart existing authentication controls, gain control of customer accounts, and transfer funds to money mules that facilitate the movement of those funds beyond the reach of financial institutions and law enforcement. Many of these schemes target small to medium-sized business customers since their account balances are generally higher than consumer accounts and their transaction activity is generally greater making it easier to hide the fraudulent transfers.
An effective tool in the fraudster’s arsenal is keylogging malware. A keylogger is a software program that records the keystrokes entered on the PC on which it is installed and transmits a record of those keystrokes to the person controlling the malware over the Internet. Keyloggers can be surreptitiously installed on a PC by simply visiting an infected website or by clicking on an infected website banner advertisement or email attachment. Keylogging can also be accomplished via a hardware device plugged into the PC which stores the captured data for later use. Keylogger files are generally small in size and adept at hiding themselves on the user’s PC. They often go undetected by most antivirus programs. Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.
Other types of more sophisticated malware allow fraudsters to perpetrate man-in the middle (MIM) or man-in-the browser (MIB) attacks on their victims. In a MIM/MIB attack, the fraudster inserts himself between the customer and the financial institution and hijacks the online session. In one scenario, the fraudster is able to intercept the authentication credentials submitted by the customer and log into the customer’s account. In another scenario, the fraudster does not intercept the credentials, but modifies the transaction content or inserts additional transactions not authorized by the customer which, in most cases, are funds transfers to accounts controlled by the fraudster. The fraudsters conceal their actions by directing the customer to a fraudulent website that is a mirror image of the financial institution’s website or sending the customer a message claiming that the institution’s website is unavailable and to try again later. Fraudsters may have the capacity to delete any trace of their attack from the log files.
MIM/MIB attacks may be used to circumvent some strong authentication methods and other controls, including one-time password (OTP) tokens. OTP tokens have been used for several years and have been considered to be one of the stronger authentication technologies in use. Since the one-time password is generally only good for 30-60 seconds after it is generated, the fraudster must intercept and use it in real time in order to compromise the customer’s account.
Controls
The Agencies are aware of a variety of security techniques which can be used to help detect and prevent the types of attacks described above. Some of these techniques have been in use for some time, while others are relatively new. Financial institutions should investigate which of these controls may be more effective in detecting and preventing attacks as part of the institution’s layered security program. However, it is important to note, that none of the controls discussed provide absolute assurance in preventing or detecting a successful attack. These controls may include the following:
Anti-malware software may provide a defense against keyloggers and MIM/MIB attacks. Anti-malware is a term that is commonly used to describe various software products that may also be referred to as anti-virus or anti-spyware. Antimalware software is used to prevent, detect, block, and remove adware, spyware, and other forms of malware such as keyloggers. It is important to note that antimalware is generally signature based, and some advanced versions of malware continuously alter their signature.
Transaction monitoring/anomaly detection software has been in use for a number of years. Similar to the manner in which the credit card industry detects and blocks fraudulent credit card transactions, systems are now available to monitor online banking activity for suspicious funds transfers. They can stop a suspicious ACH/wire transfer before completion and alert the institution and/or the customer so that the transfer can be further authenticated or dropped. Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have assisted in preventing many fraudulent money transfers as they were clearly out of the ordinary when compared with the customer’s established patterns of behavior. Automated systems may also look at the velocity of a transaction and other similar factors to determine whether it is suspicious.
The Agencies are aware of the fact that a number of institutions are requiring the “out-of-band” authentication or verification of certain high value and/or anomalous transactions. Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks. However, out-of-band authentication directed to or input through the same device that initiates the transaction may not be effective since that device may have been compromised. For business customers, the out-of-band authentication or verification can be provided by someone other than the person who first initiated the transaction and can be combined with other administrative controls. Additionally, the use of out-of-band authentication or verification, for administrative changes to online business accounts, can be an effective control to reduce fraudulent funds transfers.
In response to the rising malware infection rates of customer PCs, a number of vendors have developed USB devices that increase session security when plugged into the customer’s PC. These devices can function in several ways, but they generally enable a secure link between the customer’s PC and the financial institution independent of the PC’s operating system and application software. Typically, the device’s firmware is “read only” and cannot be altered by the customer or the malware infecting the PC.
The use of restricted funds transfer recipient lists or other controls over the administration of such lists, can reduce funds transfer fraud. Fraudsters must frequently add new funds transfer recipients to an account profile in order to consummate the fraud.
Overall, the Agencies agree with security experts who believe that institutions should no longer rely on one form of customer authentication. A one dimensional customer authentication program is simply not robust enough to provide the level of security that customers expect and that protects institutions from financial and reputation risk. This concept of layered security is consistent with expectations the Agencies have discussed previously. Layered security controls do not have to be complex. For example, implementing time of day restrictions on the customer’s authority to execute funds transfers or using restricted funds transfer recipient lists, in addition to robust logon authentication, can help to reduce the possibility of fraud.
The banking, payment, and security industries have continued to innovate in response to the increasing cyber threat environment. In addition to some of the control methods previously discussed, other examples of customer authentication include keystroke dynamics and biometric based responses. Additionally, institutions can look to traditional and innovative business process controls to improve security over customers’ online activities. Some examples include: