Financial institutions continue to implement federally-required security solutions more than one year after the deadline has passed for them to conduct risk assessments and implement improvements to protect their systems and customers.
In 2005, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance that electronic banking security using single-factor customer authentication (e.g. user name and password) would be deemed inadequate for high-risk transactions involving access to customer information or funds transfers. Financial institutions were to implement risk assessments and needed changes by the end of 2006. Nevertheless, the process is still a work-in-progress at many firms.
Customer authentication techniques may involve something a person knows (shared secrets such as passwords or PINs), something a person has (a smart card, USB token, challenge grid, or other one-time pass code generating device), or something a person is (biometrics).
Some institutions have responded to the updated FFIEC guidance by adding additional questions and answers to the customer log-in process. In some cases, the additional questions are interposed based on an analysis of the Internet protocol address of the user or the presence of shared objects or cookies previously placed on a customer’s computer. Some observers have questioned whether the use of additional questions truly constitutes multi-factor authentication because it relies on a single technique based on things the person knows. In their view, multi-factor authentication must be based on more than one of the customer authentication techniques described above.
Accordingly, the extent to which electronic banking security may rely on a single technique based on more than one shared secret seems unresolved. Some have characterized the FFIEC guidance as unduly ambiguous; others deem it suitably flexible in light of the quickly changing nature of the relevant technologies and threats. The answer must await the decisions of regulators and examiners as they review whether the systems of specific financial institutions are adequate.