The latest edition of the "Your Money Is Not Safe In The Bank" newsletter (sign up on their home page) takes a look at the new authentication guidelines about to be issued from the Federal Financial Institutions Examination Council (FFIEC) indicates that banks are about to be held accountable to a higher standard of risk assessment, fraud detection and prevention, and authentication. The current draft of the document updates the latest 2005 guidelines, and has been distributed for review and comment to the Board of Governors at the Federal Reserve, the FDIC, the Office of the Comptroller of the Currency, the National Credit Union Administration, and the Office of Thrift Supervision. Several different copies were leaked to the Information Security Media Group, the operation behind the "Your Money Is Not Safe..." website, as well.
Though this document is likely to see numerous changes from its current to any final form, here's a preview of coming attractions as they currently stand:
- Improved risk assessments to help financial institutions understand and deal with new or emerging threats, such as man-in-the-middle or man-in-the-browser attacks, and use of keyloggers, Trojans, and so forth to steal and distribute account access information and online funds transfer data
- Broad use of multi-factor authentication (security tokens, one-time keys via fax or cellphone, and so forth) to boost security, especially for "high-risk" transactions
- Layered security controls to detect and block suspicious or anomalous activities as they occur
- Increased customer education, particularly for those who work with commercial accounts online
Gosh! If all or most of these guidelines survive into a final, approved version, cybercrooks may soon be switching their focus and activities again, because these things would make it much, much more difficult for them to successfully perpetrate fraudulent funds transfers (or fraudulent account activities of any kind). Keep your fingers crossed that the powers that be won't try to water these recommendations down much, or at all. Only time will tell. A final version of the document should be published before the end of 2011. For more details, please consult the full text of the newsletter online.
Stu Sjouwerman