As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the Federal Financial Institutions Examination Council, it"s important that they don"t overlook transaction-level controls, several security experts said.
The FFIEC on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication during online transactions.
The FFIEC guidelines, which banks will be audited against starting in December 2006, has focused considerable industry attention on technologies that will allow banks to add a second form of authentication on top of those already used. While such measures will play a part in security, it would be a mistake to focus on stronger authentication alone as a way to mitigate online risk, said Alenka Grealish, an analyst at Celent LLC, a financial services consultancy in Boston.
"I think its important to not only pay attention to how we secure the door to the bank, but also to what should be done when or if a criminal finds his way through that door," Grealish said. "The entire antifraud strategy of a bank needs to be emphasized," not just stronger authentication, Grealish said.
From a security standpoint, threats such as phishing and Trojans can already bypass some of the strong authentication technologies available today, said Jonathan Penn, an analyst at Forrester Research Inc. in Cambridge, Mass. As a result, better transaction monitoring, account monitoring and behavior modeling are needed to detect and prevent fraud, Penn said.