Avivah Litan: Authentication Guidance Pros, ConsLayered Security, Not just Multifactor Authentication, A Must
The new FFIEC Authentication Guidance is a very good "cookbook" for financial institutions to apply layered security to their systems, says Avivah Litan of Gartner.
Institutions can take the document and "look at their systems honestly and objectively and ask themselves how many security layers have they put in," Litan says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Banks and credit unions have a lot of work to do, particularly smaller-sized institutions. Litan estimates that 80 percent of financial institutions have very weak security, relying mainly on cookies, Flash objects and challenge questions. "They need to put in a layered system security approach," she says.
Larger banks are in better shape for complying with the new guidelines because they have the resources. The guidance will mostly make waves in smaller banks.
Litan says the new guidance emphasizes the need for layered security, and points out that every authentication technique can be compromised. "If the criminals get through one layer, you've got another layer to back you up," she says.
The FFIEC guidance could have focused more on specifically outlining steps institutions must take to inform commercial customers of online risks and liability.
During this interview about the formal FFIEC guidance, Litan discusses:
- Why layered security, not just multifactor authentication, is a must;
- Why compliance with the new guidance will have a more immediate impact on smaller institutions than large ones;
- What institutions should be doing now, to ensure they're ready to comply with assessors' demands by Jan. 1, 2012.
Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.
What's Good About the Guidance?TRACY KITTEN: You've noted several points about the formal guidance, which was released June 28, that are positive. What are some of the guidance's high points, from your perspective?
AVIVAH LITAN: I think they've got the principles right. For example, they emphasize the need for a system of layered security, and they repeat time and again that virtually every authentication technique can be compromised, so it's important to have this layered system. If the criminals get through one layer, you've got another layer to back you up. I thought that was an excellent addition for the banks to have, an excellent piece of guidance.
Also, they emphasized a risk-based approach. They differentiated between business accounts and consumer accounts, and mentioned that there's obviously more money in business accounts and the controls have to be tighter there than they are in lower risk accounts. They talked about the need to control privileged user access to sensitive applications. That dimension was not addressed previously so they included a lot more on the principle side than they did on the last version, the main one being the layered system security approach.
What's Missing?KITTEN: Now you also note some areas in which the guidance falls short, such as too much emphasis on customer awareness and education, but little direction. Can you explain?
LITAN: I was encouraged that the regulators made it clear to the banks that you've got to tell customers what kind of protections they do have and don't have when it comes to money transfer, specifically around Regulation E. As we all know by now, Regulation E doesn't apply to business accounts. So that piece of the guidance was encouraging when I first saw the draft, but they didn't say anything about how that has to be disclosed. Most banks already disclose the protection to business accounts in their contracts with their customers, and these contracts are lengthy documents in small fonts, small typeset, that people don't read through.
When the credit card industry overhauled some of the legislation and regulations around their disclosure practices, the regulators and the legislators made a point of telling those card issuers they can't send out fine print that's impossible to read anymore. You've got to make it very clear to customers, clear and simple. You may have noticed that the notices you get in your mailbox were a lot easier to read this time from the credit card issuers than they've been in the past. Well, that similar type of guidance was not included here in the FFIEC guidance to banks, so you can just expect that it'll still be small, fine print that no one bothers to read. That was disappointing.
KITTEN: You also noted that the guidance seems a bit short-sighted when it comes to addressing emerging or future threats. It focuses on the current threats that we see in the industry but doesn't really have any forward-looking thoughts. And you note that this is something that's especially concerning for smaller institutions that really rely on the guidance to help them figure out how to curb ACH fraud.
LITAN: Let's separate that question out into two parts, first the emerging technology part and second what the smaller banks have on their plate. From the emerging technology viewpoint, it's true the guidance is backwards looking. It's looking at yesterday's threats when it gets into details. The principles are sound for both yesterday and tomorrow's threats, but they trip themselves up, in my opinion, by getting into technical details, for example on device identification, out-of-band transaction verification, out-of-band authentication and challenge questions. And many of those techniques don't apply to mobile banking. We will see big shifts in the next five years to mobile banking, whether from smart phones or tablets. So the techniques that they're talking about in the guidance have no relevance there or very little relevance there, and I can just see this document getting out of date again, as it did last time.
So I empathize with the regulators. Many of the banks do need prescriptions that are fairly detailed, but it would have been better if they had kept those details out of the document like this and put it somewhere else where they could update it at least once a year. Because what you could see happening is what's happened before. The banks will take out this document, read the appendix, put in some of the controls that are asked for or used as examples, and then say our job's done. Now the attack vectors are going to change. They'll move to mobile. They'll move to telephone channels. They'll move to ways that we haven't thought of yet and the methods that were put in won't work, so we'll need an update again in a couple of years.
Now let's move on to what you asked about the small banks. About 80 percent of the banks in the United States rely on third-party service providers that are providing their online banking platforms and also the security for online banking. Even some of the large banks rely on those service providers for ACH and wire transfer. It's not clear in this guidance how a small bank will take this guidance and apply it when they rely on their service provider. In the past, the examinations and enforcement seem to have been heavily directed towards the banks themselves and not enough at the service provider level. So I was looking for something in the guidance to say smaller institutions should demand certain types of certifications or certain service-level agreements from their third party providers - something to help those smaller banks that rely on third party providers. Because right now they're at the mercy of those providers, and they don't have direction on how to get the kind of security measures they need out of them.
The Draft Versus the Formal SupplementKITTEN: If we go back to compare the drafted supplement, which was inadvertently leaked in December, to the formal supplement that was just issued, what changes, if any, stand out?
LITAN: I think that there's more discussion of layered security and less discussion on multifactor authentication. The only place where I saw multifactor authentication referred to in the new document was under the section on business banking. And frankly, I'm not really sure what the regulators mean by multifactor authentication, so that's a separate issue. But generally speaking, the new draft that was formalized and released has a much stronger discussion on layered security and gives some really good examples of what layered security looks like. Again, the regulators find themselves in this tough position of being not prescriptive enough or overly prescriptive; and I don't envy their job. It's a lot easier to be an analyst looking at this than having to go write the guidance and satisfy everyone. But they do a good job outlining the layered security approach. They do throw in some details like IP geolocation services that are already being defeated. But they do that for illustration purposes. But in other words, to answer your question, I thought the guidance did a much better job on discussing layered security than previous drafts have done.
KITTEN: And do you think that the stronger emphasis on layered security could perhaps have been influenced by recent breaches that we've seen in the industry, such as the breach of RSA's SecurID two-factor authentication tokens?
LITAN: Yes, I do. I think that the regulators know about a lot of incidents, including the ones we read in the press and many that we don't read in the press. They went back and looked at those breaches and realized that the previous measures that they had been recommending weren't enough, and they even said so in the preface, in the appendix. Authentication on its own, or some of these measures on their own, can be beaten. And they saw that firsthand. So I think that the recent breaches certainly pushed them over the edge to making sure they were very clear about the need for a layered security approach.
KITTEN: Six months have passed since the time the draft was circulated and the issuance of the formal guidance with very few changes, beyond the layered security changes that we've just talked about. What's taken so long?
LITAN: None of us really know, but if you read between the lines, it seems pretty obvious that there was some dissension in the ranks. There's some kind of evidence that at least one agency, one of the five that constitute the FFIEC, was not on board. There were always a lot of bank lobbyists that were lobbying against the issuance of this guidance because it means the banks have to spend more money on security and they don't want the examiners breathing down their necks.
There was a lot of opposition from the banks, their lobbyists, and I think one of the agencies at least was also reluctant to impose this new document with its guidance. I think the regulators are worried about taking a heavy-handed approach. The financial services industry has obviously gone through a very tough time. The regulators are already all over the banks in terms of financial reporting, standards and capital standards, and things that go directly to the balance sheet and how it's recorded. So for them to come along and start asking for more in terms of security, it's just something they do hesitatingly. But they need to because there are lots of businesses in the U.S. that are losing hundreds of millions of dollars, and they have no clue that their banks aren't going to recover those losses for them. It's the regulators' jobs to protect the safety and soundness of our financial system. I think there's just been a lot of reluctance to add more requirements on top of what they've already imposed on them.
What Financial Institutions Should Focus OnKITTEN: And that's a nice segue into the next question I was going to ask. What should financial institutions, from your perspective, be focused on in this guidance? And to be quite honest, the regulators have pointed this out too. Much of what they note in the guidance are things that the institutions should have already been doing.
LITAN: I think that this document provides a very good cookbook for the banks to take back to their offices and look at their systems honestly and objectively and ask themselves how many security layers have they put in. I would venture to say that in 80 percent of the financial institutions of the United States, they have very weak security that relies mainly on cookies, Flash objects on PCs and challenge questions. Those banks do have a lot of work to do. I don't think there are any two ways to look at it. They need to put in a layered system security approach. I think the larger banks and the regional banks are in good shape because they actually have the resources to worry about this stuff, and they do worry about it. No one wants fraud, and they have been working pretty actively the last couple years with or without the regulation and the guidance.
This is mainly a document that's going to make a lot of waves in the smaller bank segment in the United States if you ask me, because those are the ones that have very weak security. Gartner just finished a survey in February 2011 that shows about 80 percent of the banks in the U.S. rely on these cookies or Flash objects on the PC, along with challenge questions, to authenticate the customers. And then their jobs are pretty much done. That's just not adequate anymore. Eighty percent of the banks probably only have about 20 percent of the nation's assets, but still, it's thousands of banks that are involved.
KITTEN: Right. That's a good point. And before we close, what final thoughts about the guidance, generally, would you like to share with our audience?
LITAN: Frankly, when I read it, I was pretty encouraged. I thought it was really a very well-written, thoughtful piece of work in terms of laying out the principles and giving good examples. I thought it was really well done. On the other hand, I do think they tripped themselves up by talking too many technology details. There's an old adage that regulators should stay away from the details of the technology and focus on principles and incentives. And I think that holds true here too.