2011 ffiec authentication guidance association of … mattthompson - 2011...2011 ffiec...

© Grant Thornton LLP. All rights reserved.

2011 FFIEC Authentication Guidance

Association of Credit Union Internal Auditors

2012 Region 6 Conference

September 27, 2012

Matt Thompson, Managing Director

Chris Huffman, Manager


Agenda

• Introductions

• Progression of FFIEC Authentication Guidance

• 2011 Guidance

• Changes in the Marketplace

• What does the Guidance not Address?

• Recommended Next Steps

• Q/A

• Appendix


Introductions

Matt Thompson

• Managing Director in Grant Thornton’s Southeast Business Advisory

Services Practice, based in Raleigh, NC

• Over 17 years experience working in IT Audit and Cyber Security

• Certified Information Systems Auditor (CISA)

• Certified in Risk and Information Systems Control (CRISC)

• PCI-DSS Qualified Security Assessor (QSA)

• Held a General Securities Representative Series 7 license

• Member of the Triad (NC) IIA Board of Governors

• A leader of the Southeast Cyber Security, IT Internal Audit, and IT

External Audit practices, along with the National Cyber Security

solution group

• Recognized speaker at IIA, ISACA, and NACHA conferences /

events including the IIA GAM & All Star Conferences


Introductions

Chris Huffman

• Manager in Grant Thornton's Business Advisory Practice, based in

Charlotte, NC

• Over 5 years experience working in IT Internal Audit

• Certified Information Systems Auditor (CISA)

• Master's Degree in Accounting and Information Systems

• Extensive experience with financial institution's internal audit

programs

• Regional and National Trainer for Grant Thornton's Business

Advisory Practice

• Member of the Charlotte (NC) IIA Chapter


Introductions

Dilbert Wisdom


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


Progression of FFIEC Authentication Guidance

2001 Guidance

• Laid groundwork for future guidance

– Defined acceptable authentication techniques

– Suggested integration of e-banking into the

overall risk assessment


Progression of FFIEC Authentication Guidance

2005 Guidance

• Updated the 2001 guidance to address new technologies

and risk

– Defined transactions that should require multifactor

authentication

– Addressed the need for risk based assessments

– Customer awareness programs


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


2011 Guidance

Group Check

• What has your Credit Union done to address the

guidance?

• What changes to the guidance will affect your

Credit Union most?

• Have you performed an Internal Audit of your

Credit Union's adoption of the 2011 Guidance?


2011 Guidance

Overview

• Regulators and examiners have been considering the issue

of increased banking fraud and provided updated guidance

in June 2011

• Regulatory scrutiny in the area has increased and

institutions should carefully examine their Internet Banking

to determine if they are going to need to increase the

security of high-risk transactions

• Recent June 2011 guidance will be used by examiners

beginning in 2012


2011 Guidance

Justification for Latest Guidance

• Internet banking fraud risks are increasing,

significantly growing in 2009 and 2010

• Resulting lawsuits from account takeovers in

business accounts have left liability questions

related to UCC 4a unclear


2011 Guidance

Justification for Latest Guidance (cont'd)

• The regulatory environment

– Prior (2005) guidance focused on authentication. The

guidance specifically instructed institutions to implement

authentication that is stronger than single factor

– Many Financial Institutions implemented device

recognition with challenge questions to comply


2011 Guidance

Overview of Guidance

• Risk Assessments

– Differentiation between retail and business transaction

risk

• "Agencies recommended that institutions offer multifactor

authentication to their business customers"

– Continued focus on Risk Assessment

– Continued, increased emphasis on Layered Security

Programs


2011 Guidance

Overview of Guidance (cont'd)

• Layered Security

– Fraud detection and monitoring systems

– Include consideration of customer history and behavior

and enable a timely and effective institution response

– Dual customer authorization through different access

devices

– Out-of-band verification for transactions


2011 Guidance



– Use of "positive pay," debit blocks and other techniques

to appropriately limit the transactional use of the account

– Enhanced controls over account activities

• Transaction value thresholds

• Payment recipients

• Number of transactions allowed per day

• Allowable payment windows (e.g. days)


2011 Guidance



– Internet Protocol (IP) reputation-based tools

– Policies and practices for addressing customer devices

identified as potentially compromised and customers

who may be facilitating fraud

– Enhanced control over changes to account maintenance

activities performed by customers either online or

through customer service channels


2011 Guidance



– Enhanced customer education to increase awareness of

the fraud risk and effective techniques customers can

use to mitigate the risk


2011 Guidance


• Multifactor Authentication

– Can be implemented with physical tokens or "soft

tokens"

– Relies on public key encryption to generate one-time

passcodes that are time sensitive

– Relatively effective control, susceptible to "man-in-

browser" malware bypass

• Not to be used alone with high risk transactions


2011 Guidance


• Out of Band Authentication

– Involves confirmation using a channel other than the

browser

• SMS text message

• Voice phone call


2011 Guidance


• Out of Band Authentication

– Most effective when:

• Performed at the transaction level

• Includes transaction details

• Requests a positive affirmation (such as a PIN code) to proceed

with the transaction

– This is emerging technology is quickly gaining industry

traction for high risk transactions


2011 Guidance


• Securing the Browser

– Generally offered as an "opt-in" offering to business

customers

– Can be deployed easily as a "bolt-on" to existing Internet

Banking environments


2011 Guidance



– Provides software that:

• Creates a client-to-server encrypted tunnel

• Prevents keylogers and other malware from operating

• May provide an encryption key for additional authentication


2011 Guidance



– Can be deployed in two ways:

• Software only (e.g. Trusteer Rapport), using a downloadable

program for client use

• Bundled with a USB hardware token (e.g. Iron Key), using a

secured browser in a virtual operating system.


2011 Guidance


• Monitoring Transactions

– Regulators very clearly indicated these controls can be

automated or manual

– Technology solutions focus on identifying unusual

patterns, payees, times of day, or other indicators of risk

– The solutions will escalate those "high risk" transactions

for follow-up and manual validation


2011 Guidance


• Monitoring Transactions

– To be effective:

• Implement technology along with an overall anti-fraud or other

program

• When possible, select and implement solutions that examine

transactions from multiple channels


2011 Guidance


• Enhanced Customer Awareness and Agreements

– Traditional controls designed to limit fraud risk can be re-

visited

• Credit limits

• Customer agreements

– Thresholds for volume or dollar limits defined and enforced by the

system

– Responsibility for implement and maintaining controls (consider

UCC 4a)


2011 Guidance


• Transaction Limits

– Limiting transactions by frequency on a daily,

weekly or monthly basis

– Limiting transactions by dollar volume


2011 Guidance


• Device Identification

– Generally offered as a cloud-hosted service

– Identifies the transaction's source using large databases

across a variety of industries then assigns a transaction

risk score

• Banking

• Gambling

• Large retailers


2011 Guidance


• Device Identification

– To be effective:

• Requires configuration to assign specific actions (block, escalate

for follow up, permit) to risk scores

• Requires a consideration of customers (e.g. likelihood of

international travel)

• Requires significant scale and source data from the vendor (e.g.

Lovation, Kount)


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


Changes in the Marketplace

• Trends in Credit Union Access Methods

• Authentication Techniques (Survey Results)

• 2011 Guidance Adoption by Financial Institutions



Trends in Credit Union Access Methods

Source: ISACA


Changes in the Marketplace Authentication Techniques Survey Results by Financial Institutions

Source: ISACA



2011 Guidance Adoption by Financial Institutions

• Financial Organization Readiness

– Risk Assessment: 89% of respondents have

implemented risk based assessments for all channels

– Authentication Techniques: 56% of respondents have

improved methods for authenticating

– Customer Awareness Program: 43% of respondents

have implemented a new customer awareness program

– Layered Security: 43% of respondents have

implemented layered security techniques

Source: iSMG, 2012

Faces of Fraud Survey


Changes in the Marketplace 2011 Guidance Adoption by Financial Institutions (cont'd)

• What Technologies are Financial Institutions Using

for Compliance?

– Enhanced customer education: 61%

– Fraud detection and monitoring: 61%

– Out of band verification: 35%

– Device identification technologies: 32%

– Controls over account maintenance: 32%

– IP reputation based tools: 21%

Source: iSMG, 2012

Faces of Fraud Survey


Agenda

• Introductions


• 2011 Guidance


• Not Addressed in the Guidance


• Q/A

• Appendix


Not Addressed in the Guidance

Mobile Banking


Not Addressed in the Guidance

Mobile Banking (cont'd)

• Industry Best Practices

– Encrypt transmission of data

– Time-out functionality

– Ability to disable phone from web console

– Only A2A transfers

– Inability to setup up new bill payees with mobile

device


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


Recommended Next Steps

1. Determine the current compliance status of your Credit Union.

2. Review your Credit Union's Risk Assessment, known issues, and

compliance timeline to ensure appropriate (e.g., perform a design of

controls review).

3. Test the operating effectiveness of key controls related to your Credit

Union's compliance with the 2011 FFIEC Authentication Guidance.


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


Q&A


Agenda

• Introductions


• 2011 Guidance




• Q/A

• Appendix


Appendix

2005 / 2011 Guidance Comparison

2005 Guidance 2011 Guidance

Purpose •Risk-based assessments

•Evaluate customer awareness

programs

•Develop security measures

• Combat increased fraud

• Reinforce guidance risk

management framework and

period risk assessments

• Set min control expectations

• Identifies min elements

required in a customer

awareness program

Risk

Assessment

•Start with assessment of risk

•Authentication process should

be consistent with firm's security

•Ongoing process to review

authentication technology

• Reiterate/stress need for

periodic risk assessments

• Review and update existing

assessments as new

technology becomes available


Appendix

2005 / 2011 Guidance Comparison (cont'd)


Customer

Authentication

for High-Risk

Transactions

• Distinguishes between types

of customers

(Retail/Consumer is lower

level, Business/Commercial is

higher level risk)

Layered

Security

Programs

•USB Tokens to be user friendly

•Smart cards - hard to duplicate

and are tamper resistant

•Password generating tokens are

time-sensitive, synchronized

•Biometrics/facial recognition

•Non-hardware-based one-time-

password scratch card

• Detection monitoring systems

• Dual customer authorization

• Out-of-band verification

• "Positive-pay"

• Controls over account and

change-to-account activity

• IP reputation-based tools

• Customer education


Appendix



Layered

Security

Programs

(cont'd)

•Out-of-band authentication

• IPA location and Geo-location

software

•Mutual authentication

Other

Authentication

Techniques

•Shared secrets – information

elements known only by the

customer and authenticator

•Simple challenge questions and

images

• Initial enrollment process or via

an offline ancillary process

•Requirement of periodic change

• Device identification through

PC-installed cookie

• Sophisticated "one-time"

cookies to contest fraudster

• Sophisticated, "out-of-wallet"

or "red-herring" questions


Appendix



Customer

Verification

•Positive verification

•Logical verification

•Negative verification

•Third party to verify the identity

of the applicant

Monitoring

and

Reporting

•Audit logs

•Report suspicious activities

•Establish transaction dollar limit

•Reporting mechanisms with

timely removal/suspension of

user account access.

•Review System Admins actions


Appendix



Customer

Awareness

and

Education

•Key in defense against fraud •Efforts should address retail and

commercial account holders

•Explain protections provided

•Circumstances warranting an

institution contacting a client

and by what means

•Commercial online banking

customers perform a related risk

assessment

•Listing of alternative control

mechanisms and institutional

contacts


In accordance with certain professional standards, we inform you that this document supports Grant

Thornton LLP’s marketing of professional services and is not written tax, accounting or other advice

directed at the particular facts and circumstances of any person. We encourage you to discuss with

us, or an independent tax advisor, legal counsel or other advisors the potential application of this

document to your particular situation.

Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax

treatment or tax structure of any matter addressed herein. To the extent this document may be

considered to contain written tax advice, any written advice contained in, forwarded with or attached to

this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the

purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

This document is the work of Grant Thornton LLP, the U.S. member firm of Grant Thornton

International, and is in all respects subject to negotiation, agreement and signing of specific

contracts. The information contained within this document is intended only for the entity or

person to which it is addressed and contains confidential and/or privileged material.

Dissemination to third parties, copying or use of this information is strictly prohibited without

the prior consent of Grant Thornton LLP.

www.GrantThornton.com

© Grant Thornton LLP

US member of Grant Thornton International Ltd

All rights reserved

2011 ffiec authentication guidance association of … mattthompson - 2011...2011 ffiec...

Documents