Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, June 28, 2011

Federal agency issues new security rules for financial institutions

The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of “layered security” and fraud monitoring to better protect against cybercrime.  It’s the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.

The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of “positive pay,” debit blocks and other technologies to appropriately limit the transactional use of the account.  The FFIEC guidelines also tell financial institutions they must use “two elements at a minimum” as “process designed to detect anomalies and effectively respond to suspicious and anomalous activity.”

Since 2005 when the FFIEC, on behalf of other federal government agencies with regulatory oversight of banks, issued its initial guidelines, banks have moved to deploy some different types of two-factor authentication more broadly.

The new guidance is more specific, and the FFIEC says that’s because cybercrime against the banking industry and its customers is worse now.  “Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts,” the FFIEC says.

Posted on 06/28