Presentation on theme: "FFIEC Agency Supplement to Authentication in an Internet Banking Environment http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf."— Presentation transcript:
1FFIEC Agency Supplement to Authentication in an Internet Banking Environment Released: June 2011
2Risk Assessment Review and Update: As new information becomes availablePrior to implementing new servicesAt least every 12 monthsConsider the following:Changes in threat environmentChanges in membership baseChanges in functionalityActual incidents of breach and fraud
3High-Risk Transactions Defined as:Electronic transactions involving access to member information or the movement of funds to other parties.Not every online transaction poses the same level of risk.Consumer online bankingLayered SecurityCommercial online bankingLayered Security AND Multifactorauthentication.
4Layered Security Effective Controls include: Fraud detection and monitoring systemsUse of dual member authorizationUse of out-of-band verificationUse of positive pay and debit blocksEnhanced controls over activitiesBlock connection to IP address known for fraudAddress member devices identified as compromisedEnhanced control over maintenance activitiesEnhanced member education
5Layered Security Programs Detect and Respond to Suspicious ActivityAt initial log-in and authenticationAt initiation of transfer to other partiesControls for Admin functions-Business AccountsAdditional authentication routine
6Effectiveness of Techniques Device IdentificationSimple – i.e. CookiesSophisticated – i.e. Digital fingerprintChallenge QuestionBasic QuestionsOut of Wallet Questions
7Member Awareness and Education Increase awareness and mitigate riskInclude business and personal account holdersInclude:Protections under Regulation EWhen the CU would contact member for credentialsSuggest commercial members perform Risk AssessmentMechanisms to mitigate riskList of CU contacts for members use