Complying with FFIEC GuidanceProven Security Solutions for Financial InstitutionsFirst issued in 2005, the Federal Financial Institutions Examination Council’s (FFIEC) Who is Affected?guidance for financial institutions took a strong stance in support of the deployment • Banksof stronger authentication methods, as well as fraud detection techniques, to protect • Thriftscustomer identities and information during online banking transactions. • Mortgage lendersUpdated in 2011, the “FFIEC: Authentication in an Internet Banking Environment” • Credit unions (and their non-functionallyguidance recognizes the significant advances in criminal threats — both in sophistication regulated operating subsidiaries)and sheer frequency. The supplement provides additional comprehensive guidelines • U.S. branches and agencies of foreign banksto help stop advanced attacks that target the identities and transactions of consumersand business-banking customers. • U.S. commercial-lending companies of foreign banksLike the original, the updated guidance is supported by all five members of the • CreditorsFFIEC, which is an interagency body in the United States that sets the principles • Any person or business* who arrangesand standards used for reporting and examining financial institutions. for the extension, renewal or continuation of creditEntrust provides the guidance, expertise and proven solutions to help banks andfinancial institutions comply with the FFIEC’s latest requirements and recommendations. * In addition to banking institutions, retailers,To help organizations protect against a broad range of online and mobile threats, utilities, car dealers and many other businessesEntrust offers the broadest range of solutions to ensure that an effective balance are subject to this regulation.of security, user experience and total project cost is achieved.A New FocusThe original 2005 FFIEC guidance was a major impetus to the adoption of strongerauthentication beyond standard username and password schemes.But the growth of online threats, such as the ZeuS Trojan and man-in-the-browserattacks, coupled with the growing losses among business, served as the catalyst forthe FFIEC to revisit those guidelines.With a focus on the ongoing threats to customer- and business-banking transactionsand respective identities, the FFIEC’s updated guidance addresses the following areasof focus.
Guidance & Recommendation Entrust Enables FFIEC ComplianceDrive Better Risk Assessment Much like with the 2005 FFIEC guidelines, Entrust offersFinancial institutions require a better understanding of the proven solutions to help organizations and financialsophisticated threats and their appropriate, timely response. institutions comply with the new mandates. Entrust’sThis includes guidance for regular reviews by the banks of comprehensive security framework — comprised of severalinternal systems and the ability of these systems to detect proven security solutions — is cost-effective, simple to deployand deal with fraud threats. and easy for end-users.Adopt Stronger Authentication Standards Entrust IdentityGuard:While the 2005 guidance stated that usernames and passwords Software Authentication Platformweren’t enough, today’s threats require even stronger means of Much of the FFIEC guidance focuses on the adoption of strongauthentication, particularly for high-risk transactions (e.g., ACH authentication — for consumers and commercial banking useand wire transfers for commercial transactions). alike. Banks are directed to provide commercial customers with strong multifactor authentication. It also requiresPush toward Layered Security financial institutions to adopt the use of stronger transparentMultiple layers of process or controls have been proven to help authentication — such as session-based device authenticationdefend against identity attacks, including advanced malware. (e.g., one-time cookie or dynamic device authentication) —If one security layer fails, subsequent barriers are in place to thwart that is stronger than simple device identification.an attack. Step-up security options can include out‑of‑bandauthentication and advanced transaction verification. Entrust IdentityGuard is a software authentication platform that enables banks to deploy a single authenticationExplore Advanced Authentication Techniques infrastructure capable of providing different types ofAs online fraud attacks increase in sophistication, so does the multifactor authentication, depending upon the typeinnovation in authentication technology required to stop the of user, transaction or risk.attacks in the consumer space. Financial institutions should explore, Just one of the many authenticators supported byfor example, advanced techniques like device authentication Entrust IdentityGuard, digital certificates can be deployed easilyvia one-time session cookies or stronger challenge questions. by Entrust Managed Services PKI — a simple, cost‑effective hosted PKI offering. While providing a convenient authenticationProvide Technology Guidance for Compliance mechanism for users and devices, digital certificates also enableThe FFEIC now provides instruction on technology and banks to tighten security processes within the institution andsolutions, particularly fraud detection platforms, which will enhance security of internal systems.be effective in meeting the new guidelines. This includes fraudtransaction monitoring and/or anomaly detection software. Scratch Pad Mobile Transaction SMS Verification Device Digital Authentication Certificates Knowledge Grid Based IP-Geolocation OTP Tokens Password USB and Smartcards Mutual SOFTWARE AUTHENTICATION PLATFORM Authentication BiometricsFigure 1: A software authentication platform enables financial institutions to select the right authenticator for each user or device based on risk, cost and/or transaction type.
Entrust IdentityGuard Mobile: Entrust TransactionGuard:Transaction Verification Real-Time Fraud DetectionThe updated FFIEC guidance requires banks to Banks are now required to maintain systems capable ofensure systems are in place that thwart attacks preventing fraud attacks and have the ability to analyzewith a layered security approach. In addition incidents that have occurred. The guidance specificallyto providing a convenient, cost‑effective addresses security solutions effective in combating online fraud,approach for stronger authentication via soft including approaches that provide transaction monitoring andtokens, Entrust IdentityGuard Mobile also anomaly detection (i.e., software that detects transactions thatenables out‑of‑band transaction verification. may be inconsistent with established patterns of behavior).This helps users verify whether transaction integrity is intact Entrust TransactionGuard provides robust, real-time capabilitiesor if it has been modified by some form of fraud attack. to protect against online fraud, and offers forensic capabilitiesTransaction verification is a proven approach for banks to to analyze ongoing and/or past transactions to identifydefeat many types of online and mobile malware threats. potential fraudulent activity. Solution Guidance Entrust Entrust Entrust Entrust EV Details IdentityGuard IdentityGuard Transaction Multi-Domain Mobile Guard SSL Digital Certificates Drive Better Risk ✓ ✓ ✓ ✓ Understand how to detect and Assessment thwart threats, as well as analyze security breaches Adopt Stronger ✓ ✓ Use stronger device authentication, Authentication including one-time cookies, to Standards create more complex digital PC fingerprints; increase strength of challenge questions Push Toward ✓ ✓ ✓ ✓ Enable use of different security Layered Security functions at different points in a transaction process; if one is compromised another control is in place Explore ✓ ✓ ✓ Consider innovative security Advanced Fraud controls, including anti-malware & Authentication software for customers, transaction Techniques for monitoring, anomaly detection and Effective Controls mobile transaction verification Provide ✓ ✓ ✓ ✓ Educate customers as to how and Technology where they are protected within Guidance for today’s current fraud landscape Compliance