Regulators urge banks to strengthen customer authentication

WASHINGTON — U.S. financial regulators are calling on banks to strengthen their authentication processes to better protect customer accounts and information systems.

The Federal Financial Institutions Examination Council on Wednesday issued new guidance for how financial institutions can properly employ an authentication process for customers, employees and third parties as the number of access points to information systems has expanded along with mobile computing and smartphone applications.

“These technologies and access points provide attackers with more opportunities to obtain unauthorized access, commit fraud and account takeover, or exfiltrate data,” the guidance said. “Certain authentication controls, previously shown effective, no longer provide sufficient defense against evolving and increasingly sophisticated methods of attack.”

The new guidance replaces guidelines issued in 2005 and 2011.

It outlines an expansive risk assessment that financial institutions can employ before implementing new services, including: conducting a complete inventory of all information systems, digital banking services and customers; identifying high-risk users, high-risk customers, and other threats; and periodically reassessing authentication controls.

Financial institutions should implement layered security controls, such as multifactor authentication, user timeouts, system hardening, network segmentation, monitoring processes and transaction amount limits, according to the guidance.

The FFIEC recommends that financial institutions employ reliable customer identification methods when establishing accounts. Banks should not depend solely on knowledge-based questions to verify customers’ identities, the guidance says.

The guidance also points to email systems and internet browsers as potential access points that bad actors may take advantage of when trying to break into bank accounts or other financial information systems.

“These attacks frequently take advantage of misconfigured applications, operating systems, and unpatched vulnerabilities by using social engineering and phishing campaigns,” the guidance said.

Financial institutions should strengthen their controls in call centers and help desks, as bad actors have used techniques such as deceiving customer call centers into resetting passwords and other credentials that give them access to accounts and other information systems, the guidance says.

The guidance highlights risks associated with data aggregators that customers interact with, saying that aggregators are often able to access customer data information directly or through third parties.

FFIEC also recommends that financial institutions conduct a comprehensive customer awareness campaign to educate consumers about the methods employed by bad actors to access bank accounts.

For reprint and licensing requests for this article, click here.
Cyber security Federal Reserve FDIC OCC
MORE FROM AMERICAN BANKER