Skip to content
BOL Conferences
Thread Options
#1135215 - 02/24/09 09:07 PM Online Banking
52OPS Offline
100 Club
Joined: Apr 2008
Posts: 199
Can anyone provide some quideance as to reviewing and monitoring customer password failure/resets with online banking applications?

Specifically, does anyone monitor reports indicating unsuccessful attempts, and do you send letters or place calls to your customers to find out if their password is being compromised?

How often do you think passwords should be required to be changed?

Return to Top
eBanking / Technology
#1137985 - 02/28/09 01:09 AM Re: Online Banking 52OPS
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Not a direct answer, but have you looked at the FFIEC manuals for any of this? There isn't a specific reg addressing it, if that is what you're after.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#1153930 - 03/30/09 06:24 PM Re: Online Banking Andy_Z
Susan Orr Offline
New Poster
Joined: Aug 2008
Posts: 13
Illinois
Yes, I see a lot of banks doing this, and I highly recommend it. There isn't any specific "regulation" that requires it though. It is just a good practice. Some banks will review it and if they see repeated attempts - usually double digits and the customer hasn't called it to get reset-the bank gives a courtesy call to make sure it is the customer trying and not someone else.

You should also monitor the administrators activity too, including those who reset the passwords.
_________________________
Susan Orr, CISA CRP CISM
susan@susanorrconsulting.com
630.499.0276

Return to Top
#1154295 - 03/31/09 03:46 AM Re: Online Banking 52OPS
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
The FFIEC does suggest:
"User lockout after a number of failed log-on attempts - industry practice is generally no more than 3 to 5 incorrect attempts"
and
"Review of password exception reports"
However, they don't give specifics on how/when/what specifically to review in the password exception reports.

This can be found in the FFIEC IT Examination Handbook, E-Banking Booklet
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top

Moderator:  Andy_Z