New FFIEC Guidelines Time to Layer

The FFIEC just released
a new set of supplemental guidelines for security measures to thwart identity
thieves in the financial industry. The focus seems to be on risk assessments and
customer awareness, as well as layered id authentication
techniques designed to distinguish customers. Many of the layering techniques
suggested are commonly used today such as device tracking (cookies),
out-of-band verification (text to cell phone), limited transactions per day, IP
blocking, challenge questions and various others. The guidance also urges
institutions to have a plan in place to detect and respond to malicious
activity based on the layering techniques.

Once again Challenge Questions are falling out of favor
with the FFIEC as an effective security layer.
With traditional challenge questions, used everywhere today, they would
be correct. The two methods today are defined questions (mothers maiden name,
first pets name, etc.) and user defined questions (write your question and your
answer). Weve been so conditioned with defined questions I would venture to
say that many people recycle the old questions. Two problems exist with these
questions: 1) theyre the same for
almost every website on the Internet, and 2) the information is readily
available online.

Contrast traditional challenge questions with Out-of-Wallet,
KnowledgeBased Authentication (KBA) questions. Questions not defined by the user,
but using information that only the user would know from their past are useful
and cost effective tools for a layered approach. EVS provides KBA
questions as part of our IdentiFraudConsumer product at no additional charge.


[Contributed by Jeff Davis, President and CEO]

Explore more articles