Upon assignment of the internet banking ID and PIN, a bank that I am auditing is putting both on the same letter sent to the customer. Understanding security concerns and best practices with having both evident on the letter, is there any FDIC and/or OCC regulation prohibiting this action?

Thanks in advance.

A reg outright prohibiting this? Not to my knowledge, but there are some questions to ask here.

My first question would be, what is the multi-factor authentication method used in conjunction with the user ID and password? If it's dealt with separately, and is robust, it might not be as big of a issue.

Secondly, I wonder what sort of written risk assessment there is on the subject. That may offer some clues to why they are doubling up on the uer ID and PIN. If there is no formal risk assessment, then that's a significant finding right there. You can refer to a number of things for that one.

Yes, they are using Cyota for their MFA. Behavior based.



There in lies another problem, no RA for internet banking. So, there are several concerns.

Thanks.

Use of MFA will not mitigate the risk here for a first-time log in on internet banking. User name and PIN should be sent out separately.

Given that they don't have a risk assessment, I'd focus mostly on that--but specifically mention that the practice of sending the username and PIN out together exposes new users to a great deal of risk and needs to be reconsidered while they build a risk assessment.

Our Online Banking users choose their own password at application/registration for Online Banking. We mail them their user ID, which must be changed at initial sign on. I would never be comfortable sending both credentials in the same envelope, or even on the same day.

For business online banking, we have a more sophisticated system, which requires two ID's and two passwords, which we send out in *three* separate mailings over three business days.

Two different envelopes, two different days, by two different people.

We send two separate emails to the customer.One with general instructions, agreements and User ID. Another one with the temporary password. Such password is valid only for 72 hours.

Once customer signs up and update his/her online information, a Customer service reps contacts the customer to ensure that the customer indeed updated such info (here is where we offer other products and services as well).

By e-mail? Encripted e-mail or secure site-to-site I hope?

Our system allows the user to choose a username and pssword during the auto enrollment. They must verfiy the amount of last deposit or their telephone banking PIN.

We follow the enrollment up with a welcome letter that contains a form for them to complete and return requesting they choose a security question/answer. This is sent to the address on our core system.