Counterstrike: The FFIEC Attacks Online Fraud

Recent statistics show that not only do the problems of phishing and online fraud continue to mount, they are potentially taking a dangerous new direction – an increased use of “malware” programs designed to steal logins and passwords. With these trends, it is no wonder that the Federal Financial Institutions Examination Council (FFIEC) struck back against online fraud in October. The Council issued guidance aimed at eliminating reliance solely on single factor passwords for online banking. Financial institutions are expected to achieve compliance with the guidance no later than year-end 2006. The risks to online transactions themselves are constantly evolving. While phishing remains a serious threat, fraudsters are expanding the use of software programs broadly called “Trojans,” after the famous Greek attack on the city of Troy. Like the soldiers in the mythical gift horse, Trojan programs slip in quietly and unseen. The programs and their password stealing malicious code hide behind innocuous looking Web content like song lyrics, screensavers or cheat codes. While this content is often designed to appeal to children and teens that may share the family PC, the Trojans programs themselves target credit union, bank and broker login information – IDs, passwords and other common authentication tools. The Anti-phishing Working Group recently reported a significant increase in such programs identified on peoples’ PCs, up more than two-fold since April alone. As further proof, antivirus software leader Symantec recently announced that viruses designed to capture confidential information made up three quarters of the top 50 viruses, worms and Trojans during the first six months of 2005, up from 54% in the last six months of 2004. The financial damages continue to mount as well. FBI data shows the number of Internet-related credit card crime reports rose 66% in 2004 and the average reported loss associated with the online scams tripled to $2,400 from $800 in 2003. The FFIEC is now requiring financial institutions take specific actions to confront this serious problem. The guidance document, “Authentication in an Internet Banking Environment” of October 12, 2005, describes enhanced authentication methods that regulators expect financial institutions to use when authenticating the identity of customers using their online products and services. In a clear statement that passwords alone are no longer adequate protection, the guidance states, “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.” Some have argued about what constitutes “high-risk transactions,” but as the statistics above show, anything online is “high-risk.” As a leading provider of online authentication today, we have been talking directly with the architects of the FFIEC guidance and the examiners who will enforce it. They have made their intent clear. They consider any access to non-public customer data as a high-risk element of online banking, just as defined by the Gramm Leach Bliley act. The guidance also tells financial institutions what they expect them to do. “Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. . . . Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation,” it says. Any ambiguity as to the intent of this language has been put to rest at recent industry conferences. Spokespersons representing the FFIEC and its agencies have been stating explicitly that they expect broad deployment of two-factor authentication backed up by additional layered security to protect both the viewing of customer data and transactions by the year-end 2006 deadline. The FFIEC also presented some criteria by which to judge success, stating, “An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.” This makes it clear the examiners and its affiliated agencies expect real action that both solves the problem and is widely used by consumers. This makes scalability and ease of use very important qualities of any successful strategy to improve online security. While credit unions and banks may not be very excited about having to implement more security because of new regulations, there is a much more critical reason for stepping up to this problem – customer confidence. A new study published this month shows customers are losing confidence in the online channel, confidence that must be restored so it can continue to grow. Research conducted by independent research firm InfoSurv Inc. found that 18% of all respondents have decreased their use of online banking or have stopped banking online completely in the past 12 months due to concerns regarding the security of their online identity. And customers appear to be ready to reward those who take online security seriously. According to new research from Unisys Corporation, 45% of consumers worldwide are willing to switch to financial institutions that offer more security protection. Based on the personal experiences of our executives, at Intuit with Quicken and Turbo Tax and with PayPal, these surveys ring true. Time and again experience showed that engaging the customers with keeping their data safe improves their confidence in your solution and increases their loyalty to your product.