Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, July 28, 2006

Banks face Web security deadline

For some bank IT managers, last fall’s release of federal guidelines for validating the identities of online users helped catalyze ongoing efforts to adopt so-called strong authentication measures.  But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline by which they’re supposed to comply with the guidelines, several analysts said this week.  “Most banks haven’t done much with [the guidelines] because there is still some confusion as to what needs to be done,” said George Tubin, an analyst at TowerGroup in Needham, Mass.  Preston Woods, the company’s chief information security officer, said the release of the guidelines last October by the Federal Financial Institutions Examination Council gave a push to a strong authentication initiative that Zions had already started.

Earlier this month, the company’s Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services.  Woods said SecurEntry is based on technology from RSA Security Inc. and allows Zions to better authenticate users to its Web site and ensure that they know they’re connected to a legitimate site.  The technology works by profiling the devices that customers typically use to log into the bank’s online systems.

Desert Schools Federal Credit Union in Phoenix is using a similar authentication approach based on technology from Santa Clara, Calif.-based Bharosa Inc. to meet the FFIEC’s guidelines.  “It kind of moved things up for us,” CIO Ron Amstutz said, adding that he thought the FFIEC was quite clear on what it wanted banks to do.

The FFIEC is an interagency body set up to develop standards for the auditing of financial institutions.  Although the council isn’t mandating compliance with the authentication guidelines, it has said that banks will be audited against them starting next year.

Posted on 07/28