Financial institutions urged to look beyond FFIEC rules

Financial institutions that truly want to bolster their online security need to look beyond the requirements of new strong authentication guidelines set to take effect Dec. 31, industry analysts said.

The guidelines are from the Federal Financial Institutions Examination Council (FFIEC) and require banks and credit unions to implement strong authentication measures to protect online users against ID theft and other types of fraud. They also call on financial institutions to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- with a stronger, second form of authentication. The guidelines are not required by law, but the FFIEC has said it will start auditing banks for compliance next year.

The guidelines have been successful in getting the financial industry to turn its attention to the issue of online security, said Avivah Litan, an analyst with Gartner Inc. of Stamford, Conn. About two-thirds of the financial institutions in the U.S. are likely to have stronger authentication processes in place by the time the deadline passes, she said.

But because the focus is largely on front-end access controls -- and less on what happens at the transaction level -- the FFIEC guidance by itself is inadequate against emerging security threats, said Don Phan an analyst with Javelin Strategy & Research in Pleasanton, Calif.

"We don't consider FFIEC guidance alone to be strong enough to make the consumer safer" against online security threats, he said. "Financial institutions must set their goals higher than FFIEC compliance."

Phan recommends the use of risk assessment and alerting measures both at the log-in stage and for real-time monitoring of an account holder's activities in-session. Such measures are needed to fight fraud that can result if hackers manage to compromise strong authentication processes during log-in, he said. Already, for instance, fraudsters have found a way to break the one-time passwords that some banks have begun using as a second form of user authentication, Phan said.