Embed Size (px)
DESCRIPTION
FFIEC Agency Supplement to Authentication in an Internet Banking Environment. http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf. Released: June 2011. Risk Assessment. Review and Update: As new information becomes available Prior to implementing new services - PowerPoint PPT Presentation
Citation preview
http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
FFIEC Agency Supplement to FFIEC Agency Supplement to Authentication in an Internet Banking Authentication in an Internet Banking
EnvironmentEnvironment
Released: June 2011
Review and Update: As new information becomes available Prior to implementing new services At least every 12 months
Consider the following: Changes in threat environment Changes in membership base Changes in functionality Actual incidents of breach and fraud
Risk AssessmentRisk Assessment
Defined as: Electronic transactions involving access to member information or the movement of funds to other parties. Not every online transaction poses the same level of risk.
Consumer online banking Layered Security
Commercial online banking Layered Security AND Multifactor authentication.
High-Risk High-Risk TransactionsTransactions
Effective Controls include: Fraud detection and monitoring systems Use of dual member authorization Use of out-of-band verification Use of positive pay and debit blocks Enhanced controls over activities Block connection to IP address known for fraud Address member devices identified as compromised Enhanced control over maintenance activities Enhanced member education
Layered SecurityLayered Security
Detect and Respond to Suspicious Activity At initial log-in and authentication At initiation of transfer to other parties
Controls for Admin functions-Business Accounts Additional authentication routine
Layered Security Layered Security ProgramsPrograms
Device Identification Simple – i.e. Cookies Sophisticated – i.e. Digital fingerprint
Challenge Question Basic Questions Out of Wallet Questions
Effectiveness of Effectiveness of TechniquesTechniques
Increase awareness and mitigate risk
Include business and personal account holders
Include: Protections under Regulation E When the CU would contact member for credentials Suggest commercial members perform Risk Assessment Mechanisms to mitigate risk List of CU contacts for members use
Member Awareness and EducationMember Awareness and Education
