The Federal Financial Institutions Examination Council (FFIEC) issued a new Guidance titled “Authentication and Access to Financial Institutions Services and Systems” on behalf of its members which offers 11 tips for authentication and access to financial systems. FFIEC was established in March 1979 to prescribe uniform reporting principles and standards and promote uniformity in financial institutions’ supervision. The new guidance replaces the FFIEC Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). The two publications provided risk management Guidance to financial institutions that offered internet-based products and services. This article will discuss some of the tips and Guidance practices below.
The Purpose for the New Guidance
The new Guidance set aims to provide direction for access to digital banking services and information systems. The guidance offers examples of practical risk management principles and practices that are useful for authentication and access. They also help financial institution management bodies to evaluate new authentication threats and control practices.
The new guidance addresses issues such as:
1. The need to perform risk assessment by authenticating users and customers to protect information systems, accounts and data from risks associated with cybersecurity threats.
2. The importance of extending authentication practices beyond customers to include employees, third parties and service accounts accessing financial institution systems and services.
3. The use of multi-factor Authentication (MFA), or controls of equivalent strength, to mitigate risks of unauthorized access effectively.
4. Alignment with other safety and soundness standards and other laws and regulations governing financial institutions.
Section One: Highlights of Guidance
In this section, the guidance identifies two main parties that require authentication. The first group is the users that access the financial institution’s information system. Users include the employees, third parties, board members, service accounts, installed applications and devices. The second group is the customers and consumers granted access to the digital banking services offered.
The level of authentication practices required by the financial institution depends on factors such as the operational and technological complexity of the institution: the risk environment assessment: the risk appetite, and the risk tolerance of the institution.
Some of the best practice tips highlighted include:
1. Conduct a thorough risk assessment of the digital banking and information system environment for the access and authentication issues that might arise.
2. Take note of all users and customers that access the financial institution’s systems and services and those that require advanced authentication and access controls.
3. Monitor the activities of the users and customers and implement layered security controls to prevent unauthorized access.
4. Ensure that the identity of all users and customers get verified before getting access to the financial institution systems and services.
5. Evaluate the effectiveness of the user and customer authentication controls put in place from time to time.
6. Maintain awareness and education programs to users and customers on the importance of access authentication.
Section Two: Threat Landscape
In this section, the guide points out that financial institutions are increasingly exposed to authentication risks. The risks arise from the evolution of new technologies that enable third parties to access information systems and remotely access the institution’s information system. Some of the latest technologies that pose significant risks include cloud computing service providers and Application Programming Interface (API). These system entry access points increase the opportunity of malicious users to gain access to commit data breaches to the financial institutions’ affiliates.
Specific control measures can be put across in financial institutions to reduce the authentication risk because of increased access points. The use of out-of-band communication and encryption protocols to support secure authentication is one way of doing that. The attackers use sophisticated technologies such as automated password cracking tools, which renders specific controls previously thought to be effective as useless. An example of an inadequate control technique is the single-factor authentication system. Nowadays, multi-factor authentication, in combination with other layered security controls, is more effective.
Section Three: Risk Assessment
In this section, the guide emphasizes the need for financial institutions to conduct risk assessments before implementing new financial services. For example, when introducing a digital payment service, it is vital to assess the access and authentication risks that might arise from that. Also, the assessment should be done against other business and non-business variables. A risk assessment identifies the threat opportunities and vulnerabilities exposed to access and authentication practices. The evaluation also leads to controls regarding authentication techniques and access management practices. It is important to note that this risk assessment should be done periodically during the financial institution’s product or service.
Some areas listed that require risk assessments include:
1. The inventory of all information systems and their components that need authentication. This includes the hardware, the operating system, applications, infrastructure devices and other information systems provided by third parties such as cloud service providers.
2. The inventory of digital banking services, customers and transactions that require authentication. This involves the uniqueness of the service, the customer or the transaction and what amount of risk they pose to the institution.
3. Customers involved in high-risk transactions, determined by the dollar amount or the frequency of transactions. They pose a higher potential of financial loss risk or breach of data.
4. The users of the financial institution’s information system and data. They include the employees, third parties and service accounts.
5. High-risk users that warrant advanced authentication. They include privileged users with access to critical systems and data.
6. Threats that can potentially affect the financial institution’s system, data, user accounts, and customer accounts.
7. The design and effectiveness of the controls adopted.
Section Four: Layered Security
In this section, the guidance outlines various controls that financial institutions can adopt to prevent, detect, and correct potential weaknesses in their systems. Depending on the level of risk involved, the layered security approach offers authentication solutions suitable for each need.
Some of the controls outlined include:
● Multi-factor Authentication
● User time-out
● System hardening
● Network segmentation
● Monitoring processes
● Transaction amount limits
● Assigning user’s access rights
Section Five: Multi-Factor Authentication as Part of a Layered Security
In this section, the guidance indicates that an MFA, or controls of equivalent strength, as part of layered security, is more effective in mitigating risk. According to NIST, MFA is defined as an authentication system that requires more than one authentication factor to be successful. The factors include memorized or look-up secrets, out-of-band devices, one-time password devices, biometric identifiers, or cryptographic keys. Whatever authentication factors a financial institution decides to work with, they should ensure that they are user-friendly, convenient, and provide the desired security strength for users.
Section Six: Monitoring, Logging, and Reporting
In this section, the guidance emphasizes financial institutions’ importance in having controls and processes in place to monitor, activity logging, and report. The procedures are crucial in determining whether there was any attempted or realized access by an unauthorized party. They also ensure timely response and investigation of unusual activities through logging details.
Section Seven: Email Systems and Internet Browsers
In this section, the guidance points out how email accounts and internet browser history are used to gain unauthorized access. Using social engineering and phishing techniques, the attackers take advantage of misconfigured applications and other unpatched vulnerabilities as access points to gain access to the financial institution systems and data.
Some tips on how to mitigate risks from email and browser history include:
● Implement secure configurations
● Implement layered security techniques
● Patch vulnerabilities
● Block browser pop-ups and redirects
● Limit the running of scripting languages
Section Eight: Call Center and It Help Desk Authentication
The guidance notes that a standard method threat-actors gain access to unauthorized information deceives customer call center and IT help desk representatives. To mitigate that risk, financial institutions should invest in educating their users on the processes.
Section Nine: Data Aggregators and Other Customer-Permissioned Entities (CPE)
In this section, the guidance informs on how CPE providers pose a threat to a financial institution’s customers. They access the credentials of a customer’s account information directly from the customers. They can also gain the information through other parties like API-based or token-based access. Financial institutions should assess risk factors and put-up controls that mitigate the risk of CPE’s access to digital banking services to manage such authentication issues.
Section Ten: User and Customer Awareness Education
The section tasks financial institutions the responsibility to put in place regular user and customer awareness education programs. The program educates the users and customers on the authentication risks and other security concerns when using digital banking services. When an institution educates its stakeholders, the additional authentication and access control measures will work more effectively.
Section Eleven: Customer and User Identity Verification
In this section, the guidance emphasizes the importance of financial institutions implementing reliable verification methods. Identity verification reduces the risk of incidences of identity theft, fraudulent account activities and the existence of transactions and agreements that are not enforceable.