Thread Options
|
#1571073 - 06/28/11 09:36 PM
FFIEC Authentication Guidance
|
Platinum Poster
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
|
Hooray its finally here... and we thought DFA was tough... at least we know about "banking." Most of us don't know enough about Technology to pull this off! Good luck everybody! FFIEC Final Authentication Guidance
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.
MBA Fin/MBS HR
My views only!
|
Return to Top
|
|
|
|
#1571265 - 06/29/11 01:34 PM
Re: FFIEC Authentication Guidance
AFaquir
|
Platinum Poster
Joined: Oct 2002
Posts: 730
Maine
|
I've just been reading through this- it looks very similar to the required SCI program at this point - assess the risk, show why the "layers" you have chosen address these risks. It seems like our need for the technology and non-technology areas of the bank to work together is increasing.
|
Return to Top
|
|
|
|
#1575324 - 07/07/11 10:24 PM
Re: FFIEC Authentication Guidance
Russ Horn
|
Platinum Poster
Joined: Feb 2007
Posts: 827
In the Sun
|
The Guidance mentions having a more active consumer awareness & education efforts. We were thinking about having a brochure. Does anyone have one to use as a sample that they are willing to share?
_________________________
Faith is seeing light with your heart when all your eyes see is darkness...
|
Return to Top
|
|
|
|
#1579467 - 07/18/11 07:33 PM
Re: FFIEC Authentication Guidance
Lele
|
New Poster
Joined: Mar 2009
Posts: 7
|
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking?
_________________________
"Only a dead fish goes with the flow."
|
Return to Top
|
|
|
|
#1579509 - 07/18/11 08:11 PM
Re: FFIEC Authentication Guidance
danyielg
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
I have not been through the guidance yet. ARe you not able to pass along the cost of replacement tokens as many banks do debit cards?
Last edited by Andy Z; 07/18/11 08:12 PM.
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
#1580030 - 07/19/11 07:49 PM
Re: FFIEC Authentication Guidance
Andy_Z
|
Gold Star
Joined: Aug 2007
Posts: 304
Kansas
|
The thing I find odd is that the OCC has yet to publish anything on this FFIEC guidance while the FDIC put out a FIL over a week ago.
|
Return to Top
|
|
|
|
#1580535 - 07/20/11 06:20 PM
Re: FFIEC Authentication Guidance
Russ Horn
|
Platinum Poster
Joined: Jan 2003
Posts: 525
wish it was the Smoky Mountain...
|
I came from a bank that used tokens, now I'm at a bank that opted for OOB. Each come with their own pro's/con's, some we didn't expect on either side.No perfect system-all can be bypassed, so you really have to decide what you're willing to pay for, and what amount of headache & pushback you can tolerate from customers..lesser of the evils ?? We created a "Customer best Practices for online banking", and that's what we use as one tool in customer education. We still need to revise it for our current online banking system, but we are also creating a personal one.
_________________________
My opinions...you get what you paid for..
|
Return to Top
|
|
|
|
#1581803 - 07/22/11 04:12 PM
Re: FFIEC Authentication Guidance
MidwestCFE
|
New Poster
Joined: Mar 2009
Posts: 7
|
Andy, what bank are you doing business with? Your bank is passing along a debit card replacement fee?? We had to do away with that fee over 8 years ago in order to compete in our market area. I doubt that my community bank could pass on more than $3 of the replacement cost of a token device. If our business customers complain, we are told to refund the fee, so it's easier just to "no charge" them to begin with. Same thing with the Cash Management set-up fee; 95% of them are waived because the customer complains about the $35 one-time charge.
More specifically to the FFIEC questions, my Internet banking vendor is pushing One-Time-Passcodes. Ugh!!! As a customer of a competing bank that uses that method, I hate having to get a phone call or a text message to login. As a banker, I am certainly hoping for an alternative solution.
_________________________
"Only a dead fish goes with the flow."
|
Return to Top
|
|
|
|
#1582120 - 07/22/11 08:03 PM
Re: FFIEC Authentication Guidance
VMdude
|
Platinum Poster
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
|
I just read an article... Password Strength which highlights that while most users are MO-rons when it comes to password strength and security... the fact we, and our service providers, allow them to be is the problem. A previous poster is right, all systems have flaws, and customer inconvenience is a big concern... but we can and should do better with our user policies. I mean internally to our bank I have like a dozen logins of all varying lengths of all varying change cycles, its confusing, but if we didn't we would be killed by our regulators... We should expect similar from our customers, and if they want to be silly and use simple ones or write them down for the world to see, that really becomes their problem... not ours. The more we fight it, the more we will end up in bad shape as breaches occur. Just my opinion though...
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.
MBA Fin/MBS HR
My views only!
|
Return to Top
|
|
|
|
#1587160 - 08/03/11 07:31 PM
Re: FFIEC Authentication Guidance
AFaquir
|
Gold Star
Joined: Nov 2006
Posts: 336
New England
|
Does anyone have a risk assessment template they used that they are willing to share? I would like to update mine, and was wondering what others might look like?
Thanks if you can assist
_________________________
just my opinion, based on my 30+ years
GO RED SOX!!!
|
Return to Top
|
|
|
|
#1587171 - 08/03/11 07:43 PM
Re: FFIEC Authentication Guidance
Double U
|
Gold Star
Joined: Nov 2006
Posts: 336
New England
|
that would be great, thx
_________________________
just my opinion, based on my 30+ years
GO RED SOX!!!
|
Return to Top
|
|
|
|
#1587560 - 08/04/11 03:43 PM
Re: FFIEC Authentication Guidance
Russ Horn
|
Diamond Poster
Joined: Oct 2000
Posts: 2,416
Pleasanton CA USA
|
Russ, you must use a special calendar. By my calendar, next Thursday is the 11th, and i'll be on the line. Al
_________________________
Al Miller, CRCM Opinions expressed are my own and not necessarily shared by my employer.
|
Return to Top
|
|
|
|
#1587732 - 08/04/11 06:38 PM
Re: FFIEC Authentication Guidance
VMdude
|
Platinum Poster
Joined: Jan 2003
Posts: 525
wish it was the Smoky Mountain...
|
In order to add additional layers of security I have reviewed Trusteer's Rapport, Guardian Analytics, IronKey, my Internet banking vendor's token based solution for buisness banking. What are some other solutions out there that community bankers are considering for consumer Internet banking as well as business Internet banking? We use Guardian for personal & business. There are 2 kinds, one does logins only and the full integration will monitor amounts,etc. We also use OOB isntead of tokens-seemed much better option. Both have pros/cons.
_________________________
My opinions...you get what you paid for..
|
Return to Top
|
|
|
|
#1587733 - 08/04/11 06:41 PM
Re: FFIEC Authentication Guidance
Baseball2013
|
Platinum Poster
Joined: Jan 2003
Posts: 525
wish it was the Smoky Mountain...
|
We're looking at one-time passwords via text, email or phone call, as that's what our vendor is offering as one of its FFIEC compliant alternatives.
We're not comfortable with the process or cost of issuing (and re-issuing) tokens, and the management of that process. Knowing how many of our customers lose their ATM cards - and how often, it doesn't seem to make sense to go in that direction (and we also charge customers for replacement cards).
We're also looking at implementing a solution which helps prevent against malware which our end-users may have unknowingly been installed on their computers or in their browsers, as well as man-in-the-middle and man-in-the-browser attacks, which the supplement addresses in greater detail in its appendix. I would NOT go with email for your OOB passwords. Hard lesson learned..when the hackers get into victim computer, they are often getting their emails too.so sending the secure access code to email it will be obtained by the hacker...speaking from experience.
_________________________
My opinions...you get what you paid for..
|
Return to Top
|
|
|
|
#1596412 - 08/25/11 03:08 PM
Re: FFIEC Authentication Guidance
Baseball2013
|
New Poster
Joined: Mar 2009
Posts: 7
|
Thanks for listing the vendors that you are evaluating. There is a couple there that I have not reviewed. Next week I will be evaluating IDology. I stumbled across them in my research. I am looking for something effective, yet as unobtrusive as possible. That is probably just a dream.
_________________________
"Only a dead fish goes with the flow."
|
Return to Top
|
|
|
|
#1609425 - 09/27/11 06:08 PM
Re: FFIEC Authentication Guidance
VMdude
|
Member
Joined: Jan 2006
Posts: 70
|
We have work to do regarding the customer education requirements of the supplemental guidance. Has anyone partnered with a vendor to provide the content for educating customers? If so, can you share the vendor name and whether you have been satisifed?
|
Return to Top
|
|
|
|
#1610175 - 09/28/11 07:38 PM
Re: FFIEC Authentication Guidance
ndbanker
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
Just throwing out that discussions about vendors needs to be in the Private forums. What is here, listings, is fine, but critiques are different, if you take it to that level.
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
|
|