Page 1 of 3 1 2 3
Thread Options
#1571073 - 06/28/11 09:36 PM FFIEC Authentication Guidance
AFaquir Offline
Platinum Poster
AFaquir
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
Hooray its finally here... and we thought DFA was tough... at least we know about "banking."

Most of us don't know enough about Technology to pull this off! Good luck everybody!

FFIEC Final Authentication Guidance
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.

MBA Fin/MBS HR

My views only!

Return to Top
eBanking / Technology
#1571265 - 06/29/11 01:34 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
DEL Offline
Platinum Poster
Joined: Oct 2002
Posts: 726
Maine
I've just been reading through this- it looks very similar to the required SCI program at this point - assess the risk, show why the "layers" you have chosen address these risks. It seems like our need for the technology and non-technology areas of the bank to work together is increasing.

Return to Top
#1572156 - 06/30/11 02:37 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
On Friday, July 8th, beginning at 11:00am CDT, CoNetrix and the Michigan Bankers Association (MBA) are sponsoring a Free webinar reviewing the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going directly to FFIEC Supplemental Guidance on Internet Banking Authentication webinar
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1575324 - 07/07/11 10:24 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
Lele Offline
Platinum Poster
Lele
Joined: Feb 2007
Posts: 817
In the Sun
The Guidance mentions having a more active consumer awareness & education efforts. We were thinking about having a brochure. Does anyone have one to use as a sample that they are willing to share?
_________________________
Faith is seeing light with your heart when all your eyes see is darkness...

Return to Top
#1579467 - 07/18/11 07:33 PM Re: FFIEC Authentication Guidance [Re: Lele]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1579500 - 07/18/11 08:07 PM Re: FFIEC Authentication Guidance [Re: VMdude]
danyielg Offline
Gold Star
danyielg
Joined: Jun 2007
Posts: 367
OK
i just posted a similiar question. lol
Can you imagine how many times were gonna have to explain how to use a token? and then to replace them each time they get lost?
at our expense? Oh, and as I'm typing this I get a package from our correspondent bank with new tokens for me because there was a cyber attack on the company that provides our tokens. WOW!
So then who pays for them when that happens to us and we have to reissue everyone of our customer's tokens?

Return to Top
#1579509 - 07/18/11 08:11 PM Re: FFIEC Authentication Guidance [Re: danyielg]
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
I have not been through the guidance yet. ARe you not able to pass along the cost of replacement tokens as many banks do debit cards?
Last edited by Andy Z; 07/18/11 08:12 PM.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#1580030 - 07/19/11 07:49 PM Re: FFIEC Authentication Guidance [Re: Andy_Z]
BSAguy Offline
Gold Star
Joined: Aug 2007
Posts: 261
Kansas
The thing I find odd is that the OCC has yet to publish anything on this FFIEC guidance while the FDIC put out a FIL over a week ago.

Return to Top
#1580044 - 07/19/11 08:01 PM Re: FFIEC Authentication Guidance [Re: BSAguy]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
I believe the OCC released a Bulletin (OCC 2011-26) titled Authenitication in an Internet Banking Environment on June 28, 2011 - basically it is just a statement about the Supplement from the FFIEC with the Supplement attached - see below:

OCC Bulletin 2011-26
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1580535 - 07/20/11 06:20 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
I came from a bank that used tokens, now I'm at a bank that opted for OOB. Each come with their own pro's/con's, some we didn't expect on either side.No perfect system-all can be bypassed, so you really have to decide what you're willing to pay for, and what amount of headache & pushback you can tolerate from customers..lesser of the evils ??
We created a "Customer best Practices for online banking", and that's what we use as one tool in customer education. We still need to revise it for our current online banking system, but we are also creating a personal one.
_________________________
My opinions...you get what you paid for..


Return to Top
#1581803 - 07/22/11 04:12 PM Re: FFIEC Authentication Guidance [Re: MidwestCFE]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
Andy, what bank are you doing business with? Your bank is passing along a debit card replacement fee?? We had to do away with that fee over 8 years ago in order to compete in our market area. I doubt that my community bank could pass on more than $3 of the replacement cost of a token device. If our business customers complain, we are told to refund the fee, so it's easier just to "no charge" them to begin with. Same thing with the Cash Management set-up fee; 95% of them are waived because the customer complains about the $35 one-time charge.

More specifically to the FFIEC questions, my Internet banking vendor is pushing One-Time-Passcodes. Ugh!!! As a customer of a competing bank that uses that method, I hate having to get a phone call or a text message to login. As a banker, I am certainly hoping for an alternative solution.
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1582120 - 07/22/11 08:03 PM Re: FFIEC Authentication Guidance [Re: VMdude]
AFaquir Offline
Platinum Poster
AFaquir
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
I just read an article... Password Strength which highlights that while most users are MO-rons when it comes to password strength and security... the fact we, and our service providers, allow them to be is the problem.

A previous poster is right, all systems have flaws, and customer inconvenience is a big concern... but we can and should do better with our user policies. I mean internally to our bank I have like a dozen logins of all varying lengths of all varying change cycles, its confusing, but if we didn't we would be killed by our regulators... We should expect similar from our customers, and if they want to be silly and use simple ones or write them down for the world to see, that really becomes their problem... not ours. The more we fight it, the more we will end up in bad shape as breaches occur. Just my opinion though...
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.

MBA Fin/MBS HR

My views only!

Return to Top
#1587160 - 08/03/11 07:31 PM Re: FFIEC Authentication Guidance [Re: AFaquir]
Bobw Offline
Gold Star
Bobw
Joined: Nov 2006
Posts: 336
New England
Does anyone have a risk assessment template they used that they are willing to share? I would like to update mine, and was wondering what others might look like?

Thanks if you can assist
_________________________
just my opinion, based on my 30+ years

GO RED SOX!!!

Return to Top
#1587166 - 08/03/11 07:44 PM Re: FFIEC Authentication Guidance [Re: Bobw]
Double U Offline
100 Club
Double U
Joined: Jul 2008
Posts: 219
BBN
I have one that I obtained through another source. Of course, the one I have may need to be tweeked a little with to meet some of the new authentication guidance. I would be willing to share if you are interested.

Return to Top
#1587171 - 08/03/11 07:43 PM Re: FFIEC Authentication Guidance [Re: Double U]
Bobw Offline
Gold Star
Bobw
Joined: Nov 2006
Posts: 336
New England
that would be great, thx
_________________________
just my opinion, based on my 30+ years

GO RED SOX!!!

Return to Top
#1587186 - 08/03/11 08:04 PM Re: FFIEC Authentication Guidance [Re: Double U]
Baseball2013 Offline
Member
Baseball2013
Joined: Sep 2006
Posts: 70
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.

Return to Top
#1587260 - 08/03/11 09:16 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
Promotion of webinars and conferences must be approved by management and for vendors, through Tobi, Tobi@bankersonline.com.

Next Thursday, Aug. 3rd, we have a free webinar over the FFIEC Supplemental Guidance on Internet Banking Authentication. You can register by going to http://www.conetrix.com/Webinars.aspx]FFIEC Supplemental Guidance on Internet Banking authentication webinar or directly to ww2.gotomeeting.com/register/824743394 Register here

Thanks,
Russ
Last edited by Andy Z; 08/07/11 11:34 PM.
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1587560 - 08/04/11 03:43 PM Re: FFIEC Authentication Guidance [Re: Russ Horn]
Al Miller Offline
Diamond Poster
Al Miller
Joined: Oct 2000
Posts: 2,416
Pleasanton CA USA
Russ, you must use a special calendar. grin

By my calendar, next Thursday is the 11th, and i'll be on the line.


Al
_________________________
Al Miller, CRCM
Opinions expressed are my own and not necessarily shared by my employer.

Return to Top
#1587675 - 08/04/11 05:42 PM Re: FFIEC Authentication Guidance [Re: Al Miller]
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
Al, you are right... my bad... Thursday, the 11th blush
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1587732 - 08/04/11 06:38 PM Re: FFIEC Authentication Guidance [Re: VMdude]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
Originally Posted By: atmdude
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?

We use Guardian for personal & business. There are 2 kinds, one does logins only and the full integration will monitor amounts,etc.
We also use OOB isntead of tokens-seemed much better option. Both have pros/cons.
_________________________
My opinions...you get what you paid for..


Return to Top
#1587733 - 08/04/11 06:41 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
MidwestCFE Offline
Platinum Poster
MidwestCFE
Joined: Jan 2003
Posts: 514
wish it was the Smoky Mountain...
Originally Posted By: Baseball2011
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.

We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).

We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix.


I would NOT go with email for your OOB passwords. Hard lesson learned..when the hackers get into victim computer, they are often getting their emails too.so sending the secure access code to email it will be obtained by the hacker...speaking from experience.
_________________________
My opinions...you get what you paid for..


Return to Top
#1595802 - 08/24/11 04:13 PM Re: FFIEC Authentication Guidance [Re: MidwestCFE]
Baseball2013 Offline
Member
Baseball2013
Joined: Sep 2006
Posts: 70
We've also looked into PhoneFactor, Entrust, Trusteer, SilverTail Systems and ThreatMetrix as other options - and are still evaluating.

Return to Top
#1596412 - 08/25/11 03:08 PM Re: FFIEC Authentication Guidance [Re: Baseball2013]
VMdude Offline
New Poster
Joined: Mar 2009
Posts: 7
Thanks for listing the vendors that you are evaluating. There is a couple there that I have not reviewed. Next week I will be evaluating IDology. I stumbled across them in my research. I am looking for something effective, yet as unobtrusive as possible. That is probably just a dream.
_________________________
"Only a dead fish goes with the flow."

Return to Top
#1609425 - 09/27/11 06:08 PM Re: FFIEC Authentication Guidance [Re: VMdude]
ndbanker Offline
Member
Joined: Jan 2006
Posts: 68
We have work to do regarding the customer education requirements of the supplemental guidance. Has anyone partnered with a vendor to provide the content for educating customers? If so, can you share the vendor name and whether you have been satisifed?

Return to Top
#1610175 - 09/28/11 07:38 PM Re: FFIEC Authentication Guidance [Re: ndbanker]
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
Just throwing out that discussions about vendors needs to be in the Private forums. What is here, listings, is fine, but critiques are different, if you take it to that level.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
Page 1 of 3 1 2 3

Moderated by:  Andy_Z