• United States



by Paul Kerstein

US Advisory Body Calls for More Secure Internet Banking

Oct 18, 20052 mins
CSO and CISOData and Information Security

A multi-agency U.S. federal advisory body with broad regulatory powersover banks Tuesday issued new guidelines aimed at improving security inInternet-based banking and financial services.

The Federal Financial Institutions Examination Council (FFIEC) updatedits guidance for how financial institutions should plan to authenticatecustomers’ online identities by the end of next year. The FFIEC saidauthentication of a customer via simple password and ID alone isinadequate for high-risk transactions involving access to customerinformation or the movement of funds to other partners.

The guidelines, entitled Authentication in an Internet BankingEnvironment, replaces a guidance document issuedin 2001, Authentication in an Electronic Banking Environment.

The Washington, D.C.-based FFIEC is composed of member agencies thatinclude the Board of Governors of the Federal Reserve System, theFederal Deposit Insurance Corp., the National Credit UnionAdministration, the Office of the Comptroller of the Currency, and theOffice of Thrift Supervision, along with five representatives fromstate regulatory agencies.

The FFIEC claims to not endorse any particular technology in its newguidance, which simply emphasizes that the authentication techniquesemployed by the financial institution should be appropriate to therisks associated with their products and services.

The FFIEC document does provide basic descriptions of severaltechnologies, including digital certificates, smart cards, one-timepasswords, USB plug-ins, and biometric identification methods, amongothers.

The new guidance document, which the FFIEC says it issued due toconcerns about phishing, identity theft and online fraud, indicates theFFIEC expects to see stronger authentication methods in place next year.

At the same time, the FFIEC also notes the impact of catastrophicevents, such as that caused by hurricanes, could affect the ability ofsome financial institutions to conform to the guidance within thespecified timeframe. In some instances, affected financial institutionswould be afforded an extension if circumstances warrant, the FFIEC said.

By Ellen Messmer – Network World (US online)