FFIEC Authentication Guidance: Customer Education - Developing a Program That's Effective and Meets Regulatory Expectations

FFIEC Authentication Guidance: Customer Education - Developing a Program That's Effective and Meets Regulatory Expectations

Credit Eligible

For too long, banking institutions have paid only lip service to the need for developing information security awareness and education programs for their customers.
But now, as directed by the FFIEC Authentication Guidance, institutions as of January 2012 are expected to manage a robust awareness and education effort for retail and commercial customers alike.
But what is an effective awareness/education program, and how can it be rolled out online and in person to the customers who need it most?
Join an information security leader at a major U.S. bank for practical insights on how to:

• Assess the awareness/education needs of retail and commercial customers;
• Create an effective program that includes online, print and in-person components;
• Develop an education and awareness strategy that is regularly updated and improved by customer feedback;
• Develop a program that meets the regulatory requirements.

Background

When it comes to information security risks to retail and commercial customers, awareness and education programs have been much like the proverbial weather. Many institutions talked about these programs, but few implemented successful ones. But now, with the advent of the 2011 supplement to the FFIEC Authentication Guidance, banking regulators are putting institutions on notice that they now will be examined on the efficacy of their customer education programs.
In part, this new emphasis is in response to the recent spate of ACH/wire fraud incidents, which defrauded unsuspecting commercial customers - many of whom did not realize their losses were not automatically reimbursed by the institutions. The new guidance calls for customer awareness and educational efforts tailored for retail and commercial account holders and, at a minimum, to include these elements:

• An explanation of protections provided - and not provided - to accountholders;
• An explanation of how and why the institution might contact a customer on an unsolicited basis and ask for the customer's electronic banking credentials;
• Advice for commercial online banking customers to perform periodic risk assessments;
• A listing of risk control mechanisms that customers may consider implementing to mitigate their own risk, or at the very least a listing of available resources where such information can be found;
• A contact list for customers to use if they notice suspicious account activity or experience any security-related events.

To offer practical tips from his own institution's experience, Joe Rogalski of First Niagara Bank will outline his robust customer education/awareness program and show how - and where - it touches retail and commercial customers in multiple forms.

Presented By

Joe Rogalski, SVP, First Niagara Bank

Joe Rogalski is the information security officer and first vice president of First Niagara Bank, a top 25 regional bank located in the northeast. He currently holds CISM and CRISC certifications, and he has more than 18 years of experience in technology and security in a variety of technical and management positions. Before joining First Niagara, Rogalski led information security risk management for M&T Bank. Rogalski also frequently speaks about security, risk management and awareness with industry leaders and First Niagara customers

Shortened URL, Thinking before you click

Shortened URL, Think before you click

I am finally taking the CISSP on November 5^th, I say finally as my last two attempts were abandoned do to any number of reasons.  I am committed and have registered this time.  This post is not about my preparation, but one resource I was provided after I asked a question on twitter.   I was looking for good resources for preparing for the exam.

The response in question I received was not from someone I know or follow on twitter and it contained a shortened url.  That should have been the first warning sign.

Something I always stress in end user education is “Think before you click.”  Of course everyone is susceptible to social engineering and a lack in better judgment, so I clicked on the link. After clicking I was redirected to an offer to win an IPad 2 and I consider myself lucky for it was just click jacking and not male-ware.  

Twitter and other social media should be treated just like email and if you don’t know who is sending you the link just delete it. I  have tried SafeEgo by bitdefender to do some background checking on this user but there was little activity. SafeEgo seems to work OK on twitter but I have had good success with it on Facebook.  I have too many friends that think they can see who is flowing them on Facebook.  Taking a closer looking at the account that sent the message it seems like a spam account so I have blocked them and reported the spam. 

Google has also picked up on the spam and is blocking the shortened url.

The question I keep coming back to is what if there was male-ware behind the page, with the ability to created shortened urls so quickly what can we do about it?  End-user education is the best answer, understanding who is sending us the information and thinking before we click. Are there other options to stop this spam or the use of this in an attack?  I could easily see this being used to spread Zeus to companies or a zero day attack like the one used in the RSA breach.  Commercial account takeover is large problem in the financial services industry today and the majority is perpetrated through Zeus. 


Until a technical solution is available to combat this, we must rely on end user thinking before the click and that includes me.

TD Bank on Customer Education New Study Underscores Need for Greater Awareness

TD Bank on Customer Education

New Study Underscores Need for Greater Awareness

Tracy Kitten
August 25, 2011


Small businesses have room to improve when it comes to fraud prevention. And according to a recent study commissioned by TD Bank, a lack of understanding and apathy are challenges that need to be overcome. "Phishing; limiting the paper trail; not leaving their computer screens up when they walk away; knowing who's around when they log on to the account are all educational points," says Jay DesMarteau, head of small business sales for TD Bank [CDN $630 billion in assets]. "We've seen instances of all of that, and so we've had to increase awareness."
Steps such as limiting paper trails and dedicating desktops to online banking business should be givens at this point, but many small-business owners continue to rely on unsafe, albeit conventional, business practice, according to a new study overseen by TD Bank.
In April, TD Bank commissioned ORC International to survey 300 small U.S. businesses about their takes on the current state of fraud. "Our intent with this survey was to increase awareness about fraud and help our small business customers understand what they can do to reduce risks related to online fraud." [Visit TD Bank's Security Center for more information.]
About 90 percent of TD Bank's commercial business customers fall into the small business category - a category that accounts for about one-third of TD Bank's balance sheet. Over the last several months, TD Bank has been sharing the survey results with its small-business base, using the results as an educational tool to show financial institutions where they are lacking in fraud investments and to point out where more attention needs to be paid.
"ACH - that's where we have seen fraud in the past, but things have gotten better over the last two years," DesMarteau says. "We do surveys from time to time around banking products and trends, just to see where we are. And this is an area, online fraud, that we see as being a trend. We want to share basic steps that can be taken to reduce fraud," which starts with the commercial customer.
The 300 small-business leaders TD Bank surveyed said they did plan to make investments over the next year to enhance fraud protections; but the responses were lackluster.
When asked, "Which of the following actions are you most likely to take over the next 12 months to protect your business from fraud?":

• 46 percent replied "Install/update firewalls and anti-virus software"
• 45 percent replied "Institute more internal controls/checks and balances"
• 17 percent replied "Schedule regular external audits"
• 40 percent replied "Start managing my finances using secure online banking tools"
• 17 percent replied "Employ an information management service to safely store sensitive documents"

Online fraud, not surprisingly, has been a problem for TD Bank in the past. But since 2009, ACH- and wire-related fraud incidents have dropped 50 percent, primarily because of stronger detection on the bank's end and more customer education. "We've done a lot more on our side around monitoring transactions and looking for payments to people that look out of sorts for a particular customer," DesMarteau says.
TD Bank also offers insurance, in case a commercial account is hacked, and a product called BusinessDirect, which provides commercial customers with 24/7 online account activity, so they can monitor transactions in real-time.
"It's a constant thing we are doing to prevent cyberfraud," says Robert Dunlop, head of corporate security for TD Bank. "I think a lot of smaller business customers don't think they will get attacked, and they do foolish things," like allow employees to browse the Web on desktops that are used to manage the bank's online account.
"And a lot of these small businesses don't understand the risks, and they don't have an IT staff in place to regularly update software or ensure they have the right anti-virus systems or firewalls, so we're working with them," Dunlop says. "These breaches, when they occur, are at the customer level, not at the bank level."

FFIEC and Customer Education

The need for more customer education regarding online security is not a new concept. Consumers are often referred to as being the weakest links. That weakest link reference is amplified when talking about commercial accounts, since they don't carry the same protections as consumer accounts covered by Regulation E. Commercial customer education is one of the tenets of the updated online authentication guidance issued by the Federal Financial Institutions Examination Council in June.
The FFIEC authentication guidance specifically calls for financial institutions to launch customer education efforts that include security steps for commercial customers.
The FFIC says banks and credit unions should suggest "commercial online banking customers perform a related risk-assessment-and-controls evaluation periodically," as well as provide a "listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found."
Joe Rogalski , information security officer of First Niagara Bank, a top 25 regional bank in the northeast U.S., says educating small business customers about online risks should be a top priority for every financial institution. "We're seeing more fraud and cross-channel fraud," he says. "We're continually doing risk assessments of our platforms. We're continually testing our controls and the effectiveness of our controls. ... We're doing anomaly detection on transactions, as well as a lot of end-user education."
TD Bank's recent survey results support Rogalski's view, and more institutions are pursuing customer education initiatives as part of their layered approaches to security and online-fraud prevention.
For TD Bank, sharing results from surveys is educational for customers. But TD Bank also regularly posts updates about emerging threats and new security initiatives through the TD Bank Security Center, a microsite dedicated to providing security alerts and information about everything from identity theft to emerging schemes.
"It's an outreach effort," Dunlop says. "These cybercriminals are very good at what they do, and we all have to do what we can to stay ahead."