New FFIEC Guidelines Time to Layer


The FFIEC just released a new set of supplemental guidelines for security measures to thwart identity thieves in the financial industry. The focus seems to be on risk assessments and customer awareness, as well as layered id authentication techniques designed to distinguish customers. Many of the layering techniques suggested are commonly used today such as device tracking (cookies), out-of-band verification (text to cell phone), limited transactions per day, IP blocking, challenge questions and various others. The guidance also urges institutions to have a plan in place to detect and respond to malicious activity based on the layering techniques.

Once again Challenge Questions are falling out of favor with the FFIEC as an effective security layer. With traditional challenge questions, used everywhere today, they would be correct. The two methods today are defined questions (mothers maiden name, first pets name, etc.) and user defined questions (write your question and your answer). Weve been so conditioned with defined questions I would venture to say that many people recycle the old questions. Two problems exist with these questions: 1) theyre the same for almost every website on the Internet, and 2) the information is readily available online.

Contrast traditional challenge questions with Out-of-Wallet, KnowledgeBased Authentication (KBA) questions. Questions not defined by the user, but using information that only the user would know from their past are useful and cost effective tools for a layered approach. EVS provides KBA questions as part of our IdentiFraudConsumer product at no additional charge.

 

[Contributed by Jeff Davis, President and CEO]