Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
C. Warren Axelrod

The FFIEC and Password-Generating Tokens

In June 2011, the FFIEC (Federal Financial Institutions Examination Council) issued a “Supplement to Authentication in an Internet Banking Environment,” available at http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf

The FFIEC comprises five financial regulatory agencies, namely, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision. These are the regulatory agencies that oversee U.S. banks, but not the securities industry, which is under the purview of the SEC (Securities and Exchange Commission).

The original guidance entitled “Authentication in an Internet Banking Environment” was issued in October 2005, more than five years ago, and was itself based on the August 2001 guidance “Authentication in an Electronic Banking Environment.” The former is available at http://www.ffiec.gov/pdf/authentication_guidance.pdf   The 2011 supplement is justified, according to the Guidance document, because “[s]ince 2005, there have been significant changes in the threat landscape.” To see an extensive list of recent hacks, go to the August 6, 2011 CNET post by Elinor Mills “Keeping up with the hackers (chart)” at http://news.cnet.com/8301-27080_3-20071830-245/keeping-up-with-the-hackers-chart/?tag=mncol;title and click on the link to the chart.

The bottom line is that the FFIEC has been advising banks about managing the risks of online banking for at least a full decade. And yet, because of the changing threat environment, there seems to be an increasing number of ever-more damaging hacks against online banking and payment card accounts as the above-mentioned chart depicts.

Between the 2005 and 2011 FFIEC Guidance reports, there have been a number of significant events, not least of which was the attack on RSA, which was reported in March 2011, and the consequent compromise of SecurID tokens. So, just as an exercise, I decided to see how the guidance might have changed in this area.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*