With the FFIEC Authentication Guidance update, regulators have raised the bar: Traditional security controls are insufficient. Banking institutions now must adopt a layered approach to securing high-risk online banking systems.
But how does one choose among all of the layered security options? And then, after selecting controls, what are the elements of an effective layered security strategy that satisfies the guidance and enhances security?
Join George Tubin, a foremost industry analyst, for his expert insights on:
FFIEC Authentication Guidance and expectations for layered security controls;
Strengths/weaknesses of most popular controls, from out-of-band authentication to voice-based biometrics;
An effective layered security framework that includes the device, user, transaction and network.
Device identification. One-time password tokens. Out-of-band authentication. When it comes to layered security controls, there are countless options available to help banking institutions comply with the FFIEC Authentication Guidance. But how does a banking/security leader make the right choices to satisfy and the guidance and secure the institution's systems?
To answer this question, one first must understand the FFIEC's definition: "Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control."
And while banking regulators don't endorse any specific controls, they do offer these options as elements of a layered security program:
Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
Dual customer authorization through different access devices;
Out-of-band verification for transactions;
"Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account;
Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows [e.g., days and times];
Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
It's a broad menu that can leave many leaders with more questions than answers. To help make sense of these options, industry analyst George Tubin leads a discussion on how to craft an effective layered security program. Among the topics Tubin tackles:
FFIEC Authentication Guidance - What the update says about layered security and what's no longer sufficient. Fraud Prevention Technologies - An in-depth look at the most popular security controls, reviewing strengths and weaknesses of each. Included: Out-of-band authentication, anomaly detection, account-based restrictions, voice biometrics and more. Layered Security Strategy - How to put the pieces in place to secure not just the transaction, but also the user, device and network.
Tubin is Director of Marketing at Transmit Security and a recognized expert in digital banking and payments security and cyber-fraud prevention. He was previously Vice President of Marketing at Socure and Senior Research Director with the leading financial services research firm CEB TowerGroup (acquired by Gartner, Inc.) where he delivered thought leadership and insights to leading financial services institutions, technology providers, and consultancies on business strategies, technologies, and market trends in retail, Internet and mobile banking, and fraud management.