FFIEC Guidance: Are Banks Ready?

FFIEC Guidance: Are Banks Ready?

Some Institutions Still Confused About Regulators' Expectations

Tracy Kitten
December 20, 2011


As 2012 nears and federal regulators prepare to examine financial institutions for conformance with the FFIEC Authentication Guidance, just how prepared are U.S. banks and credit unions? The answer, industry observers say, depends in part on the asset size of the institution.
The nation's largest institutions are working to stay ahead of the updated guidance issued this past June, but smaller institutions are facing stiff challenges to improving online banking security, says Gartner analyst Avivah Litan.
"Mid-tier and regional banks are confused about how far to go to meet FFIEC compliance requirements, especially with regard to payment batch-file processing, which can be expensive to re-engineer," she says.
Litan believes most community institutions are working hard to meet the FFIEC's demands for risk assessment strategies, layered security controls and improved customer awareness of online banking risks - the core tenets of the guidance. But for the smaller institutions, FFIEC conformance depends heavily on the effectiveness of their core processors - their third-party service providers.
"[Institutions] are very dependent on their online banking processors, most of whom are still upgrading their security strategies," Litan says. And many, including the processors themselves, are still confused about minimum requirements for conformance, especially when it comes to authenticating payments.
"They have little or no resources to deal with payment security," Litan adds.

Survey: Confused About Expectations

According to a new FFIEC Online Banking Security Readiness Study commissioned by Guardian Analytics, while banking institutions are prepared to share plans for ongoing risk assessments, many still struggle with grasping regulators' baseline security expectations.
Of the 300 U.S. institutions surveyed - 75 percent banks, 25 percent credit unions - most respondents say they've spent the last six months jumping into conformance action. [See the full survey on Guardian's website.]
Fifty-six percent have already completed their risk assessments, and 59 percent have already created plans to address identified risks.
What's more, institutions are addressing security across the board, focusing on enterprise-level security. Most institutions are embracing the need for substantial security upgrades. They're investing more in anomaly detection, and they're addressing fraud from a higher perspective.
"About 85 percent said they've made changes to address the guidance, and they plan to do more," says Guardian CEO Terry Austin. "The first part of 2012 will be very busy."
Austin speculates banks and credit unions are seeing improved fraud detection as a competitive differentiator. "Layered security is a focus," he adds. And so is customer and member education.
Two out of three of the institutions surveyed by Guardian said they already have extensive customer education programs in place; and most over the next six months plan to expand on those programs.
But only 50 percent say they fully understand minimum requirements for authentication conformance. "We're not criticizing the FIs here, but we're highlighting that there is still some education and interpretation help that the institutions need with the guidance," says Guardian's Terry Austin.
Doug Johnson, vice president of risk management policy for the American Bankers Association, says that confusion proves that more industry education is needed.
"Many community banks have not had the benefit of participating in the many webinars or conference sessions on this subject," he says. "As a result, we have written a number of articles for our various publications and bulletins on the subject and will continue to get the word out to help alleviate any confusion."
Litan says most institutions also have expressed concerns about how to interpret the updated guidelines relative to mobile banking, which is not addressed explicitly in the guidance.
"The regulators may have to issue an FAQ to clarify some of the points," she says. "I think the audits starting early in 2012 will clarify what the regulators want. I don't expect a hard-handed approach from them come January 2012. But by 2013 the regulators will expect to see substantial security upgrades across the board for online banking."

Conformance Strategy

Joe Rogalski, information security officer and first vice president of Buffalo-based First Niagara Bank, says taking an enterprise-level view is a good idea. "It's good to look beyond the requirements, to make sure you're doing the best thing for your institution," he says.
What more should institutions do to ensure preparation for their 2012 examinations? Experts offer these six tips:

1. Plan for Ongoing Risk Assessments. Annual and quarterly risk assessments look good as ideas on paper, but institutions must be prepared to prove they have thorough plans in place to follow through with these assessments. "I think the annual risk assessment is a much bigger deal than most banks realize," Litan says. "Most banks have not done an annual risk assessment to the level that the new guidance calls for."
2. Organize for Fraud Management. Upon conducting these assessments, institutions need to be equipped to take fast action on identified risks. "Fraud management is not one-size-fits-all," Litan says. "It's different in every bank, and most decisions are made by committee." More flexibility needs to be built into the response plan, so committee decisions don't choke or stall reaction time.
3. Show Layered Security Plans. Regulators want to see what institutions have done to fill the gaps identified in their assessments - especially in terms of the layered security controls prescribed by the guidance. "If you're not going to be compliant by [the time of your exam], make sure you have a reason why, or the ability to show that you have very good compensating controls," Rogalski says.
4. Tackle the Basics. A lot of banks are busy implementing out-of-band authentication, Litan says. Yet, they're still struggling to detect and prevent ACH and wire fraud. Rather than investing millions of dollars in out-of-band solutions, she recommends that institutions focus on core security requirements first. Address identified weaknesses with basic and well-understood solutions.
5. Examine Vendors. For institutions that rely on vendors for stronger authentication, be sure you know how well your vendor is performing. After all, it is the institution that will be held to the fire for conformance - not the vendor. Review the vendor's own internal conformance assessment, or - if the organization is large enough to be examined by federal regulators - ask to review its FFIEC examination later in 2012 to see the agencies' own impressions. "It does give you some insights, and the examiners can provide that exam," Johnson says. "But you're only allowed to [view] that exam if you have an existing contract in place with that party."
6. Show Metrics of Progress. Experts agree that regulators won't expect to see 100 percent conformance in 2012. But institutions must prove they will reduce risk over time. Even if more technology investments are needed, proof of progress will satisfy auditors. "I think institutions are not measuring the potential exposure they may have, and the potential losses which they've managed to mitigate against their existing losses," Johnson says. "If they can demonstrate that they have mitigated potential losses, even if exposure increased because of more attacks, then they can show that their measures of protection are improving. It demonstrates effectiveness."

2011- The year of the breach

2011 has been one of the worst years ever for security breaches with both large and small companies being affected. Among these big headline breaches were Sony’s PlayStation network, RSA, Citigroup, ADP and a large email marketer, Epsilon.  The trickledown effect from the Epsilon breach was felt by many companies; large financial institutions JPMorgan Chase and Citibank, major hotel chains Marriott and Hilton as well as big retailers Best Buy and Walgreens.

The bad guys are out there and they are constantly trying to gain access to customer and confidential data. For a typical breach, it costs approximately $212 per record lost for credit monitoring and notifications sent to customers and this does not include the cost associated with reputational loss. For example, if 650,000 records were compromised it would cost approximately $137,800,000. That would be quite a hit for most business could yours recover?

As this year comes to an end, I have put together a top 10 list if things you can do to keep both you and company safer online in 2012.

10. If you are not expecting a package from UPS or any other parcel-delivery service, do not click on the link they sent you, as it is probably a phishing email. Instead, access the site by going through the homepage to avoid being sent to a fraudulent site where your information could be stolen.

9. Do not click on links within an unsolicited e-mail.

8. Avoid filling out forms contained in e-mail messages that ask for personal data.

7. Log on directly to the official Web site for the business identified in the e-mail, instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.

6. If an e-mail asks you to respond quickly or states there is an emergency, it may be a scam. Fraudsters create a sense of urgency to get you to act impulsively.

5. The FBI or other government agencies will not contact you about a lawsuit or subpoena through e-mail. They tend to like to talk to you in person about those things.

4. Ensure that your home PC’s patches are up to date as well as your anti-virus.

3. Always compare the link in the e-mail to the web address link you are directed to and determine if they match.

2. On social media sites, (Facebook, etc) be careful what kind of information you share and whom you share it with.

1. My personal favorite, remember what Mom always said, “If it looks too good to be true, it probably is.”

Have a happy and safe holiday season and a safe new year.

Security Initiatives: The ceiling is collapsing where to start?

Being able to take the time to create your strategic plan for the Information Security Program as well as understanding when and where to concentrate your resources should always be a priority.   That is until reality sets in and you realize that there is no time to think strategically and you must act like an M*A*S*H unit and triage.  When you have multiple high-risk immediate priorities how do you decide what comes first to stabilize the situation

When I need to prioritize and am in the weeds I tend to use the following criteria.

1.    Is there an active problem, intrusion or data loss situation in flight or is a critical service not being provided.

2.    Is there a pending situation that will lead to a problem or loss situation?  Glaring situations that can cause big losses, firewall mis-configuration etc.

3.    Will my data be out of my control or in an unknown state? Is data leaving the network to a third party?

4.    Are there regulatory or compliance issues?  Projects required for industry or regulatory compliance?

The triage situation should only deal with issues that are critical to the enterprise in the near term, typically less than six months, concentrating resources to correct the mission critical issues.  After those immediate issues are corrected time and resources must be spent on strategic planning and execution.  Strategic planning of projects and initiatives should happen as quickly as possible even during triage situation and   at a minimum have an outline of where the plan is going to ease in switching gears. 

Smishing: How Banks Can Fight Back

Credit Eligible

Police Warn of Text-Based Scams Targeting Banking Customers

October 5, 2011 - Tracy Kitten, Managing Editor

Share

Print  Email  Save   Digg Delicious Reddit

Police in Pima County, Ariz., have issued a warning about smishing, or text-based phishing attacks, targeting mobile users. The warning comes after a Tucson-area resident filed a complaint about a phishy text message that appeared to be from the recipient's financial institution. The text, which asked the accountholder to call a specified number to resolve a possible compromise of his bank account, included the last four digits of the user's debit card, making the text appear legitimate.
"If the victim had called the number provided, he would have been asked to verify his debit card number and the security code on the back of the debit card," the department said in its warning. "With this information, the debit card could have been reproduced, and the victim's bank account would have been cleaned out."
Smishing attacks are low-tech schemes, but they nevertheless prove frustrating for financial institutions. Jason Rouse, a mobile security expert and consultant with Cigital Inc., says smishing, like most socially engineered schemes, preys on victims' trust. "So, the bank should issue very clear guidelines about the way it will communicate with customers," he says. "The must tell customers they will never ask for a password or information over a cell."
Rouse's advice, incidentally, is in line with the new FFIEC Authentication Guidance, which directs institutions to give their customers "an explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer's provision of electronic banking credentials."

Smishing on the Rise

In the Tucson case, the would-be victim was quick to contact his financial institution before responding to the text. But not all consumers are quite so savvy, especially in the mobile environment. "People are used to phishing by e-mail," says mobile expert Dr. Markus Jakobsson. "Smishing has still not sunk in."
The mobile phone is a social device, and consumers' communications and behavior over mobile devices mirror casual phone communications. "Their trust in their friends rubs off on everything that has to do with the [mobile] phone," Jakobsson says [See Mobile Banking: The New Risks]. That casual mobile behavior is likely to perpetuate more mobile fraud, and encourage fraudsters to exploit even the most low-tech mobile schemes, such as smishing.
The good news for financial institutions is that smishing attacks have not hit a tipping point. But it's only a matter of time. "We will see it peak in the next couple of years," Rouse says. "From an organized crime perspective, smishing is simple, and I think you will see more organized crime lean toward it."
Smishing scams are increasing in popularity over traditional voice/phone call scams known as vishing because consumers are more apt to fall for them. "The absence of an awkward pre-recorded or live voice call increases the probability of success for the criminal," says John Buzzard, of FICO's Card Alert Service. "The consumer is only evaluating the words in the text without the weight that hearing a voice or recording would add to their decision-making process."

Consumer Education and Anomaly Detection

As smishing attacks like the one in Tucson proliferate, financial institutions have to hone customer and member education efforts. The Tucson scheme proves how crafty smishing attacks can be, says Joe Rogalski, information security officer of Buffalo-based First Niagara Bank [$38 billion in assets]. "The last four [digits] of the card number and the increase in the use of text alerts give the customer confidence and improve validity of the scam," Rogalski says. "Customers need to understand how and when the institution will contact them on an unsolicited basis, and if they will ever request a PIN or other confidential information. Getting this message out to consumers consistently is very important."
There's little financial institutions can do to stop smishing. The real success of controlling attacks and subsequent losses begins and ends with the consumer.
Anthony Vitale, who oversees mobile solutions for San Francisco-based Patelco Credit Union [$3.75 billion in assets], says financial institutions are quickly learning that the convenience of mobile banking comes with a price. As the use of mobile explodes, the threats and risks associated with mobile behavior have never been greater.
"Organizations are putting in layers of security and tools to safeguard information and assets, however, the fraudsters are attacking our weakest link, the consumer," Vitale says.
To ensure it's sufficiently addressing existing and emerging mobile risks, Patelco invested in a behavior-monitoring solution. When something out of the ordinary occurs, the credit union can react. So, if a user has been duped by a smishing attack and the bank account is hit with requests for funds in amounts and to recipients that seem out of line, a red flag goes up.
Institutions also should monitor mobile transactions in the same ways they monitor online transactions. If fraud is detected, transactions can be stopped and addressed with the mobile carrier. Mobile carriers can assist banks in tracking anomalous behavior and shutting it down before it results in big losses.
But how can institutions initiate better communication and education with customers and members? Getting the word out about mobile and even online risks has proved challenging in the past.
Citigal's Rouse says institutions should not be intimidated from using common channels, like mobile. "I think the No. 1 channel banks should be using is the mobile channel itself," he says. "There is no reason why they can't use the mobile device to disseminate information to their users."

FFIEC Authentication Guidance: Customer Education - Developing a Program That's Effective and Meets Regulatory Expectations

FFIEC Authentication Guidance: Customer Education - Developing a Program That's Effective and Meets Regulatory Expectations

Credit Eligible

For too long, banking institutions have paid only lip service to the need for developing information security awareness and education programs for their customers.
But now, as directed by the FFIEC Authentication Guidance, institutions as of January 2012 are expected to manage a robust awareness and education effort for retail and commercial customers alike.
But what is an effective awareness/education program, and how can it be rolled out online and in person to the customers who need it most?
Join an information security leader at a major U.S. bank for practical insights on how to:

• Assess the awareness/education needs of retail and commercial customers;
• Create an effective program that includes online, print and in-person components;
• Develop an education and awareness strategy that is regularly updated and improved by customer feedback;
• Develop a program that meets the regulatory requirements.

Background

When it comes to information security risks to retail and commercial customers, awareness and education programs have been much like the proverbial weather. Many institutions talked about these programs, but few implemented successful ones. But now, with the advent of the 2011 supplement to the FFIEC Authentication Guidance, banking regulators are putting institutions on notice that they now will be examined on the efficacy of their customer education programs.
In part, this new emphasis is in response to the recent spate of ACH/wire fraud incidents, which defrauded unsuspecting commercial customers - many of whom did not realize their losses were not automatically reimbursed by the institutions. The new guidance calls for customer awareness and educational efforts tailored for retail and commercial account holders and, at a minimum, to include these elements:

• An explanation of protections provided - and not provided - to accountholders;
• An explanation of how and why the institution might contact a customer on an unsolicited basis and ask for the customer's electronic banking credentials;
• Advice for commercial online banking customers to perform periodic risk assessments;
• A listing of risk control mechanisms that customers may consider implementing to mitigate their own risk, or at the very least a listing of available resources where such information can be found;
• A contact list for customers to use if they notice suspicious account activity or experience any security-related events.

To offer practical tips from his own institution's experience, Joe Rogalski of First Niagara Bank will outline his robust customer education/awareness program and show how - and where - it touches retail and commercial customers in multiple forms.

Presented By

Joe Rogalski, SVP, First Niagara Bank

Joe Rogalski is the information security officer and first vice president of First Niagara Bank, a top 25 regional bank located in the northeast. He currently holds CISM and CRISC certifications, and he has more than 18 years of experience in technology and security in a variety of technical and management positions. Before joining First Niagara, Rogalski led information security risk management for M&T Bank. Rogalski also frequently speaks about security, risk management and awareness with industry leaders and First Niagara customers

Shortened URL, Thinking before you click

Shortened URL, Think before you click

I am finally taking the CISSP on November 5^th, I say finally as my last two attempts were abandoned do to any number of reasons.  I am committed and have registered this time.  This post is not about my preparation, but one resource I was provided after I asked a question on twitter.   I was looking for good resources for preparing for the exam.

The response in question I received was not from someone I know or follow on twitter and it contained a shortened url.  That should have been the first warning sign.

Something I always stress in end user education is “Think before you click.”  Of course everyone is susceptible to social engineering and a lack in better judgment, so I clicked on the link. After clicking I was redirected to an offer to win an IPad 2 and I consider myself lucky for it was just click jacking and not male-ware.  

Twitter and other social media should be treated just like email and if you don’t know who is sending you the link just delete it. I  have tried SafeEgo by bitdefender to do some background checking on this user but there was little activity. SafeEgo seems to work OK on twitter but I have had good success with it on Facebook.  I have too many friends that think they can see who is flowing them on Facebook.  Taking a closer looking at the account that sent the message it seems like a spam account so I have blocked them and reported the spam. 

Google has also picked up on the spam and is blocking the shortened url.

The question I keep coming back to is what if there was male-ware behind the page, with the ability to created shortened urls so quickly what can we do about it?  End-user education is the best answer, understanding who is sending us the information and thinking before we click. Are there other options to stop this spam or the use of this in an attack?  I could easily see this being used to spread Zeus to companies or a zero day attack like the one used in the RSA breach.  Commercial account takeover is large problem in the financial services industry today and the majority is perpetrated through Zeus. 


Until a technical solution is available to combat this, we must rely on end user thinking before the click and that includes me.

TD Bank on Customer Education New Study Underscores Need for Greater Awareness

TD Bank on Customer Education

New Study Underscores Need for Greater Awareness

Tracy Kitten
August 25, 2011


Small businesses have room to improve when it comes to fraud prevention. And according to a recent study commissioned by TD Bank, a lack of understanding and apathy are challenges that need to be overcome. "Phishing; limiting the paper trail; not leaving their computer screens up when they walk away; knowing who's around when they log on to the account are all educational points," says Jay DesMarteau, head of small business sales for TD Bank [CDN $630 billion in assets]. "We've seen instances of all of that, and so we've had to increase awareness."
Steps such as limiting paper trails and dedicating desktops to online banking business should be givens at this point, but many small-business owners continue to rely on unsafe, albeit conventional, business practice, according to a new study overseen by TD Bank.
In April, TD Bank commissioned ORC International to survey 300 small U.S. businesses about their takes on the current state of fraud. "Our intent with this survey was to increase awareness about fraud and help our small business customers understand what they can do to reduce risks related to online fraud." [Visit TD Bank's Security Center for more information.]
About 90 percent of TD Bank's commercial business customers fall into the small business category - a category that accounts for about one-third of TD Bank's balance sheet. Over the last several months, TD Bank has been sharing the survey results with its small-business base, using the results as an educational tool to show financial institutions where they are lacking in fraud investments and to point out where more attention needs to be paid.
"ACH - that's where we have seen fraud in the past, but things have gotten better over the last two years," DesMarteau says. "We do surveys from time to time around banking products and trends, just to see where we are. And this is an area, online fraud, that we see as being a trend. We want to share basic steps that can be taken to reduce fraud," which starts with the commercial customer.
The 300 small-business leaders TD Bank surveyed said they did plan to make investments over the next year to enhance fraud protections; but the responses were lackluster.
When asked, "Which of the following actions are you most likely to take over the next 12 months to protect your business from fraud?":

• 46 percent replied "Install/update firewalls and anti-virus software"
• 45 percent replied "Institute more internal controls/checks and balances"
• 17 percent replied "Schedule regular external audits"
• 40 percent replied "Start managing my finances using secure online banking tools"
• 17 percent replied "Employ an information management service to safely store sensitive documents"

Online fraud, not surprisingly, has been a problem for TD Bank in the past. But since 2009, ACH- and wire-related fraud incidents have dropped 50 percent, primarily because of stronger detection on the bank's end and more customer education. "We've done a lot more on our side around monitoring transactions and looking for payments to people that look out of sorts for a particular customer," DesMarteau says.
TD Bank also offers insurance, in case a commercial account is hacked, and a product called BusinessDirect, which provides commercial customers with 24/7 online account activity, so they can monitor transactions in real-time.
"It's a constant thing we are doing to prevent cyberfraud," says Robert Dunlop, head of corporate security for TD Bank. "I think a lot of smaller business customers don't think they will get attacked, and they do foolish things," like allow employees to browse the Web on desktops that are used to manage the bank's online account.
"And a lot of these small businesses don't understand the risks, and they don't have an IT staff in place to regularly update software or ensure they have the right anti-virus systems or firewalls, so we're working with them," Dunlop says. "These breaches, when they occur, are at the customer level, not at the bank level."

FFIEC and Customer Education

The need for more customer education regarding online security is not a new concept. Consumers are often referred to as being the weakest links. That weakest link reference is amplified when talking about commercial accounts, since they don't carry the same protections as consumer accounts covered by Regulation E. Commercial customer education is one of the tenets of the updated online authentication guidance issued by the Federal Financial Institutions Examination Council in June.
The FFIEC authentication guidance specifically calls for financial institutions to launch customer education efforts that include security steps for commercial customers.
The FFIC says banks and credit unions should suggest "commercial online banking customers perform a related risk-assessment-and-controls evaluation periodically," as well as provide a "listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found."
Joe Rogalski , information security officer of First Niagara Bank, a top 25 regional bank in the northeast U.S., says educating small business customers about online risks should be a top priority for every financial institution. "We're seeing more fraud and cross-channel fraud," he says. "We're continually doing risk assessments of our platforms. We're continually testing our controls and the effectiveness of our controls. ... We're doing anomaly detection on transactions, as well as a lot of end-user education."
TD Bank's recent survey results support Rogalski's view, and more institutions are pursuing customer education initiatives as part of their layered approaches to security and online-fraud prevention.
For TD Bank, sharing results from surveys is educational for customers. But TD Bank also regularly posts updates about emerging threats and new security initiatives through the TD Bank Security Center, a microsite dedicated to providing security alerts and information about everything from identity theft to emerging schemes.
"It's an outreach effort," Dunlop says. "These cybercriminals are very good at what they do, and we all have to do what we can to stay ahead."

BankInfoSecurity: Podcast FFIEC Authentication Guidance

I participated in a bankinfosecurity podcast on the new FFIEC guidance.  The link is below.

 

FFIEC Authentication Guidance: A Bank's Steps to Comply

Customer Education Is Priority for First Niagara

By Tracy Kitten, August 2, 2011.

Play Streaming Download MP3iPod / Mobile device

"We're continually testing our controls and the effectiveness of our controls. We do a lot of emerging-threats monitoring ... so we can react," says First Niagara's Joe Rogalski.For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center.