The Federal Financial Institutions Examination Council has issued updated guidance advising banks to use stronger access controls and multifactor authentication. Some experts call the update “long overdue.”
The document replaces FFIEC guidance issued in 2005 and 2011. It does not impose any new regulatory requirements.
The FFIEC, an interagency body comprising five government regulators that creates standards for the federal examination of financial institutions, acknowledges the need for effective authentication to protect information systems, accounts and data as the threat landscape changes. The guidance provides banks with security recommendations for customers, employees and third parties accessing digital services.
The FFIEC reminds banks and customers that weak access controls – such as single-factor authentication – and inadequate risk assessments expose financial data to immense risk.
The guidance also “recognizes that authentication considerations have extended beyond customers, and include employees, third parties and system-to-system communications.”
Key Recommendations
The FFIEC document points to the need for:
- Defined “layered security” practices;
- Comprehensive risk assessments to determine appropriate access;
- Monitoring, logging and reporting activity to identify and track unauthorized access;
- Controls for email systems and internet access.
Threat Landscape
The FFIEC says the potential attack surface for financial institutions has expanded “with the evolution of new technologies and broadly used remote access points.” It cites the proliferation of mobile computing, smart phone applications and “bring your own” devices.
“These technologies and access points provide attackers with more opportunities to obtain unauthorized access, commit fraud and account takeover or exfiltrate data,” the guidance states.
Authentication risks arise from expanded remote access to IT systems, other third parties – such as cloud service providers – now accessing systems, and the use of application programming interfaces, the FFIEC says.
“Attackers use technologies, such as automated password cracking tools, and compromised credentials in their attacks against financial institutions,” the guidance states. “Older or unsupported information systems may be especially vulnerable to attacks because security patches and upgrades for authentication controls can be more difficult to obtain.”
Multifactor authentication, the guidance states, is “an effective practice to secure against financial loss and data compromise caused by various threats.” Combining MFA with network segmentation and least privilege user access – in which users are given the minimum level of access – can help mitigate the risks, it says.
Risk Assessments
A risk assessment must be conducted before implementing new financial services, such as faster payment, the FFIEC notes.
Effective assessment practices include:
- Creating an inventory of information systems, including hardware, operating systems, applications, infrastructure devices, APIs, data and other assets requiring authentication/access controls;
- Identifying customers engaged in high-risk transactions;
- Identifying threats, including malware/ransomware, man-in-the-middle attacks, credential abuses and phishing attacks;
- Assessing controls, including reviewing their design and effectiveness.
Layered Security
The FFIEC emphasizes the importance of “layered” controls, which can compensate for potential weaknesses elsewhere. These include: MFA, user time-out, system hardening, network segmentation, monitoring processes and transaction amount limits.
“Authentication controls with increased strength have been shown to be effective for customers and users engaged in high-risk transactions and activities,” the FFIEC says.
Multifactor authentication can mitigate several risks associated with unauthorized access, the guidance points out. Even with increased remote access, MFA user credentials can improve the security of access channels.
Ongoing Education
Customer awareness programs, the FFIEC states, “can complement the layered security controls implemented to protect customers and can lower access and authentication risks.”
These programs, it adds, can help users determine the legitimacy of third-party communications and understand existing controls, account monitoring processes, external threats – such as phishing and mobile-based Trojans – and legal recourse in the event of a breach.
Helpful But Overdue
John Ackerly, former associate director of the National Economic Council at the White House, says the guidance is “long overdue” and particularly crucial with the introduction of third-party access in the cloud era.
Commenting on combating online fraud and protecting the integrity of sensitive data, Ackerly adds: “The good news is that the White House and industry groups are starting to address this – including within President Biden’s executive order on cybersecurity”.
Ackerly, co-founder and CEO of the security firm Virtru, says that Secure Access Service Edge, or SASE – a cloud service networking and security strategy aimed at the user or endpoint – is the “way the world is going,” and multifactor authentication is one piece of the puzzle in “fine-grained control over who’s accessing what.”
Kim Phan, privacy and data security partner at the law firm Ballard Spahr, adds: “The new guidance more full recognizes the complexity of the financial services ecosystem. Whereas prior guidance focused on authenticating the identity of customers, the new guidance recognizes that there are many other users of any one financial institution’s systems.”
Phan says that the inclusion of multifactor authentication in each iteration of the guidance “demonstrates how this continues to be an important tool to mitigate risk, but is also continuously evolving.”
(Except for the headline, this story has not been edited by The Technology Express staff and is published from a syndicated fee)
About Author
