Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Tuesday, February 21, 2006
Last October, a relatively obscure government body called the Federal Financial Institutions Examina
Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication.
And on the surface it appears that forcing banks to add a second factor of authentication could improve the well-documented, rapidly deteriorating state of online security. It’s not clear, for example, that a second factor will significantly reduce “modern” risks; we could be preparing for the next war by planning for the last one.
It’s also unclear if financial companies can balance the cost of scaling two-factor authentication for the masses versus the benefit of whatever risk reduction it might provide.
The FFIEC guidance is the latest incarnation of a security truism: Threats don’t disappear, they migrate, or else over time they mutate to overcome the defenses deployed against them.