Online Only: Experts, Security Firms Find Gaps in New FFIEC Guidelines
Security experts from credit unions, research firms and technology providers have been quick to point out the shortcomings of the new Internet banking security guidelines issued on June 28 by the Federal Financial Institutions Examinations Council.
The guidelines lack security recommendations for mobile banking, don’t adequately address today’s evolving fraud threats and come with a tough-to-meet deadline, experts said.
The new FFIEC guidelines, which were last updated in 2005, ask all financial institutions to implement a layered security approach, improve and expand their authentication mechanisms and offer financial education among a number of efforts aimed to fight online fraud and identity theft.
“There are lots of opportunities to poke holes in this,” said Julie Conroy McNelly of Boston-based research firm Aite Group. “You could say that it’s not forward thinking enough, and that it focuses too much on current threats.”
A lack of mobile and voice banking recommendations is one glaring hole in the guidelines, experts said. Laura Mather, vice president of product marketing for Palo Alto, Calif.-based fraud prevention vendor Silver Tail Systems, said the guidelines are also not up to speed with today’s threats, as they zero in on the types of breaches institutions faced in 2008 and 2009.
“The guidelines focus on sign-in and money movement, but criminals are finding other ways to attack,” said Mather, a managing director of the Anti-Phishing Working Group and one-time National Security Agency analyst who co-founded Silver Tail Systems after three years of working in anti-phishing and fraud deterrence at eBay. “We’re seeing new attacks in which criminals are scraping data from websites.”
In order to keep up with ever-changing threats, the FFIEC should not wait another six years to update these guidelines, experts say. Mather suggests, for example, that the council issue a new set of best security practices every six months.
McNelly added that while the guidelines describe a layered security approach, credit unions should be aware of how each layer actually combats fraud.
“It’s about knowing which threat vector each prevention mechanism is going to target,” McNelly said.
Mickey Goldwasser, vice president of marketing for Austin, Texas-based software vendor Q2ebanking, and Ward Howell, Q2ebanking’s director of security solutions consulting, said the guidelines do not mention tokens – a key to security – and that they “leave a lot open to interpretation.”
“Some people were surprised that it’s not as strong as what was anticipated,” Goldwasser said.
With the guidelines taking effect in January 2012, credit unions face a fairly short window of preparation time.
NCUA Chair Debbie Matz, also chair of the FFIEC, said the agency’s examiners will be expecting credit unions to follow the new guidelines. In order to comply, experts say CUs will need to analyze their current security measures, determine where they fall short and spearhead any necessary projects.
“The timeline for compliance is very aggressive and doesn’t give credit unions a lot of time to prepare,” Howell said.
What happens to the CUs that fail to comply in time? They could face a fine, but McNelly hopes examiners will allow some leeway if, for example, a CU has a project in place that will lead them to full compliance. Mather notes that a lawsuit resulting from a security breach could be the most costly consequence for CUs that do not follow the guidelines.
The Killeen, Texas-based, $118 million Texas Partners Credit Union already meets many of the new guidelines, as it chose to exceed the FFIEC’s 2005 guidelines in anticipation of future changes, IT Director Christian Mulvey said. However, the CU still has some work to do.
“Although we already meet many of the guidelines, some will require a number of hours of due diligence as well as manual review to be truly thorough,” Mulvey said. “This will cost our business considerable dollars for a service that is normally ‘free’ to our members.”
John Bock, CIO for the Fort Worth, Texas-based, $1.2 billion EECU, said he’s enlisting the help of the CU’s new security software solution, Boston-based Trusteer’s Rapport, to ensure compliance with the new guidelines.
“Now, I’ll need to digest the final rules and understand what additional things I’ll need to do,” Bock added. “I think it’s doable.”
Experts said they do believe the new guidelines carry some merits. McNelly said they’re a drastic improvement from the guidelines put out by the FFIEC in 2005.
“The good news is that it significantly improves the prescriptive approach to security,” she said. “The threat environment has increased significantly and criminals are actively targeting credit unions and community banks. It says that not only is single-factor authentication not enough, but that you must have a layered approach.”
Ken Otsuka, senior risk management analyst for CUNA Mutual, also believes CUs will benefit from the outlined layered security recommendations.
“Layered security involves implementing multiple controls at different points in the transaction process and can strengthen the overall security structure of online banking services,” Otsuka said. “If one control is compromised, other layers of controls are in place to prevent or detect fraudulent transactions.”
Goldwasser and Howell said the new guidelines represent the government’s acknowledgement of financial institution fraud as an issue and should spur communication between institutions.
“It lets people acknowledge that elephant in the room, which is risk and fraud,” Goldwasser said. “The best thing is that it opens the door to that conversation.”