FIL-103-2005 Authentication in an Internet Banking
Posted By: Oursisnottoreasonwhy
FIL-103-2005 Authentication in an Internet Banking - 10/13/05 04:22 PM
In reading this FIL it states that: "The agencies consider single-factor authentication (eg. Login and Password), to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." I read this to say any internet banking access that provides account information or transaction capabilities needs to have more than a login and password.
What types of other authentication factors are other internet banking providers using? What are the costs involved in adding additional authenticating factors? Are banks passing the additional costs on to the customer? How is customer acceptance of additional login procedures?
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 10/14/05 12:55 PM
In many countries, and here at some institutions, you'll have a key fob or card with an access code that changes every minute or so. It is in sync with the main system and is needed to login. In some cases a scratch-off card may have the daily codes on it and it is mailed to the customer. That code is needed to login.
There are many versions of dual authentication. I can't quantify the costs or acceptance. But there will be costs, especially at start-up, and people resist change. So neither the bank nor the consumer will especially like it unless they really perceive the risk this is intended to mitigate.
Posted By: Czargazer
Re: FIL-103-2005 Authentication in an Internet Banking - 10/14/05 04:30 PM
I for one am really interested in what folks think about this. The whole thing seemed rather vague to me and relied too much on the institutions' risk assessments--which generally means the assessment will come out less than high so we then don't have to institute any additional safeguards...
The FIL did mention that the agencies are concerned about "high-risk transactions" but what are they classifying as high risk? What does it mean in this context?
We do a moderate amount of online banking, involving Bill Pay, and other transactions. Is this "high-risk" by default or do certain factors apply that would possibly make it "high-risk"? If so, I'd love to know what the agencies think these factors would be! Anybody got any ideas?
Posted By: SusyG
Re: FIL-103-2005 Authentication in an Internet Banking - 10/14/05 04:41 PM
Andy, what are your thoughts on browser-based dual authentication methods? I have done some research on several methods and browser-based seems the most economical for the bank and least intrusive for the customer, but it does have weaknesses as does every method. I just can't see our customers using cards, tokens, etc. The cost of delivering the additional hardware required for other methods would also be costly to the bank. But, I don't want to go with the browser-based method just because it is less costly and easier to implement if I'm not really getting a benefit out of it....
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 10/17/05 05:32 AM
I haven't finished reading that document yet. (Just look at when I posted this.) I believe you'll have to find what is effective first, for now and the future, and what your customers will adopt. The latter is secondary. Many will complain because people resist change. Fewer will drop the product because of it.
You'll have to make your case as one of security and "this is for your own good." I think you'll work your way down to serious IB users and predict that you'll have a level if IB that doesn't allow transfer of funds and therefore doesn't require such authentication. This may be a way to take customers up to a higher level. You'll have to decide where, or if, IB can be profitable as well.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/18/05 02:29 PM
I'm a bit surprised that there has not been more reaction to this since it likely will result in some of us having to pull a valued service from our customers (for their own good). Even if we can find a cost effective way to provide a secondary authentication factor for internet banking, I'm not sure I can see a way to provide the same for the telephone banking product (It will be included in your risk assessment, won't it?).
What we have is here is regulation imposed without hearings, comment or other public input. We are not only told to do a risk assessment but told what the result must be.
More broadly the whole concept of "regulation by guidance" seems to be getting out of hand. A review of FDIC FIL's, indicates that in the year 2000 there was one such guidance. In 2001 - 3; 2002 - 2; 2003 - 5; 2004 - 12; and YTD 2005 - 15. These guidances focus on methodology rather than results. For example, it is not enough to have an adequate loan loss reserve, you must follow a specific methodolgy to determine its adequacy.
Oops, I seem to be slipping into a rant. The point is that maybe we should be concerned about a trend that is unfavorable to us and our customers; and begin raising the issue with our associations and advocates.
Posted By: mtcrossranch
Re: FIL-103-2005 Authentication in an Internet Banking - 10/18/05 05:35 PM
What is the general opinion out there about what is "high risk." Because BillPay is payment to a third party, it is definately higher risk than just looking at balances, transfering between accounts and viewing images. But, is it high risk enough to warrant a secondary authentication requirement? What will the OCC say about this one?
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/18/05 08:00 PM
Just an observation or two:
Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).
I believe they (regulators) have really already done a "risk assesment" for the entire industry and decided the risk of using transactional websites is too great without the two-factor authentication. Without the "big picture" from all the reports they get, we'll never know the how much fraud and identity theft is actually occuring.
Posted By: Czargazer
Re: FIL-103-2005 Authentication in an Internet Banking - 10/18/05 09:57 PM
Quote:
Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).
Emphasis on the "certain types". There was recently a case of a phishing scam in which the perpetrators were aware of the second authorization factor (a scratch-off card with codes), and included it in their fake web-site enabling them to acquire codes to use in conjunction with the passwords they gleaned. Article
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/18/05 11:42 PM
A client with multiple banking relationships would carry multiple authentication devices, be they tokens, scratch cards, etc. So (rhetorically) do you think that there would be confusion about which device belongs to which bank, account, etc? If the devices are then labeled, does it not compromise the security? Will their not be client backlash as a result?
No solutions, just problematic questions.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/19/05 05:07 AM
I heard someone in law enforcement give an opinion on the best way to stop crime on the Internet: Stop using the Internet.
Now for my opinion: There is no way to stop Internet fraud (short of stopping Internet use). Dual factor authentication will be significantly more effective than single factor authentication. It will not prevent certain customers from compromising their own security, falling for fraud schemes, etc., but it will reduce it significantly. Dual factor authentication is going to happen for all transactions. It is happening. The agencies are going to force the banks to implement it and educate the population. The decision to be made is to get on board now or try to delay it until later. Identity theft is a huge problem and it's getting bigger every day. Organized crime in the US and abroad are getting into the act. As stated above, the regulators are in a better position to see the "big picture."
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/19/05 04:10 PM
If you look at the statistics on identity theft from the FTC, the vast majority of information that is compromised is still from a paper document either stolen out of a mail box, from dumpster diving or company employees with access to sensitive customer information. Once the thieves have this information, they turn around and use it on the internet for fraudulent activity because of the anonymity of the internet. The stolen information is very seldom actually stolen from an electronic source to begin with, but the media and others confuse consumers by focusing on how the information was used electronically and not the fact that the information was gained from a paper document to start with.
So, why don't the regulating agencies make me have a smart card or token for the mailbox or trash can that sits outside my house that anyone driving by has access to?
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 10/20/05 05:20 PM
The REAL problem is that consumers willingly (and unknowingly) provide theives with the information that they need. What's to say that a thief (using a phishing site) doesn't setup fake "dual authentication" input fields or creates the email and just says , "make sure you put in your token"? The phisher will still get debit or credit info which is the #1 problem.
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 10/21/05 05:41 PM
It isn't "sexy" news so it has hit the press, but with little fanfare.
El Paso YahooIf you want activity, tell your customers the price is now $5.95 a month for scratch-offs mailed to them or $7.95 for a fancy key fob.
Posted By: Still Developing
Re: FIL-103-2005 Authentication in an Internet Banking - 10/26/05 09:56 PM
What is the general opinion out there about what is "high risk."
mtcrossranch,
Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/02/05 09:52 PM
The whole area of two factor authentication is not deeply understood from a total risk perspective. fob tokens are deemed to prevent being attacked by a fraudsters when using internet banking. However, the truth of the matter is that traditional solutions are deemed obselete when it comes to preventing emerging threats such as DNS poisoning and Man in the Middle attacks. These piggyback off an authenticated session. ValidSoft have a solution that have got Gartner really excited because it achieves mutual authentication (ie. host to user, user to host), it has the flexibility to apply 2FA to certain 'high risk' transactions and it can combat Man in the Middle. When a users session is compromised having been under the impression that their fob token has protected them, there's going to be a lot of unhappy customers of Banks and their confidence will diminish out of sight.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/03/05 01:36 AM
I also am surprised that there has been so little reaction to this guidance. Most compliance officers I've polled are not concerned. As I read the guidance, any transaction involving NPPI or movement of funds requires two factor authentication. If that is so, kiss internet account origination channels goodbye. Call me Chicken Little, and please tell me I'm wrong on this...
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 11/03/05 04:45 PM
A) I don't think it has sunk in yet.
B) Some may still be studying it and trying to determine is it IT, security, compliance, all of the above.
C) Too many things to worry about today, mush less tomorrow, and,
D) Vendors will come out of the woodwork to sell these systems.
Nothing will stop it all, but the more layers of protection we have, the more secure we can be. Using the right layers, the right way is what is important.
This brings back some reasons many laws addressing e-commerce do not have specific requirements on technology practices. The older systems where a customer has to dial up their "internet banking" application, which is not housed on the web as we know it, can be safer. The customer may have a special banking program on their PC. It works with the bank. Browsers do not. And the bank can accept the connection from only certain phone numbers, as examples. These can be better security than what is offered today. Obviously they have less appeal to the average user as they are less convenient. Such is the evolutionary process.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/04/05 07:02 PM
Just learned this morning that management conducted a risk "assessment" and has determined that there is "no-to-low risk" in our transactional online accounts! So they want to make the dual authentication optional at the customer's request and sell a solution only to interested customers.
I'm heading for the closet now looking for my 20 lb sledge hammer to pay a visit to the IT manager. Where is it written in my job description I have to save management from themselves?
Posted By: Princess Leia
Re: FIL-103-2005 Authentication in an Internet Ban - 11/06/05 06:20 PM
Quote:
Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.
That's exactly what we were told also. Doesn't matter if the customer can do anything other than view their account information. The mere fact that there is customer information makes it high risk.
It's definitely receiving more and more publicitity. Here's an article from last week's USA Today about it and what BofA is doing.
I hope other non-bank type of financial institutions follow suit soon. Schwab makes you put in your SSN to access your account!
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Ban - 11/08/05 02:38 AM
Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/09/05 10:16 AM
This comment it so true. I have seen solutions that use the mobile phone as the device for token delivery via speech (not SMS), such as VALid from ValidSoft. The solution is practically unbreakable and achieves mutual authentication for the user simply from the architectural design and implementation method. Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone. There's no software required to be installed so there is zero footprint required.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/09/05 11:07 AM
A zero footprint, shareable device will be essential for wide scale deployments. Fobs were designed for enterprise access, not Internet banking protection and certainly not for mass retail deployment. As it is already known they cannot protect against even simple phishing scams (e.g. link to fake web site that collects username, password and OTP), what happens when a customer (who's had to pay the bank for the privilege) finds they've been ripped off despite using their fob in accordance with instructions???
Posted By: JacF
Re: FIL-103-2005 Authentication in an Internet Ban - 11/09/05 03:05 PM
Quote:
Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.
Greetings from Smallville! As we tend to use vendor provided systems, I would think that the Smallville contingent will not have trouble finding a solution, it would be suicide for online banking platform providers to not offer something. That said, the downside is that Smallville will undoubtedly have fewer choices, as compatability will be out of the banks' control, so we will pretty much have to go with the options offered by the vendor.
Posted By: Czargazer
Re: FIL-103-2005 Authentication in an Internet Banking - 11/09/05 05:02 PM
Quote:
Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone.
And what would be offered to those who do not use a cell phone? An alternative, or a waiver indicating that any breaches are the customer's fault for not having a cell phone to enhance security? It may be a good option to those it's available to, but believe it or not there is still a good number of people who don't own cell phones.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/10/05 10:05 PM
I just recently attended a seminar that discussed this topic. According to the speaker, this particular guidance indicates that only when the financial institution conducts its risk assessment on e-banking activities and it is determined that single factor authentication is not sufficient, then implement multi-factor authentication, layered security, and other controls.
I read this guidance a couple of times prior to the seminar, then re-read it again afterwards. It mentions the above statement several times throughout the document and it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.
However, based on this line of thinking, we may think one thing is sufficient and the regulators may not see it the same way.
Of course, it is always better to be pro-active in these instances.
Posted By: 1 Peter 5:7
Re: FIL-103-2005 Authentication in an Internet Banking - 11/10/05 10:20 PM
Quote:
as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.
I believe the Guidance also says that the capability of your customer to conduct transactions on your site almost dictates dual authentication. Don't treat the risk assessment exercise too lightly.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Ban - 11/16/05 05:16 AM
"it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable."
I don't think this is correct. The Guidance clearly says that it considers single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Posted By: complygirl
Re: FIL-103-2005 Authentication in an Internet Ban - 11/16/05 04:59 PM
So will there be additional guidance regarding the internet banking risk assessment? Has anyone already completed their risk assessment, if so what did it amount to? Thanks.
Posted By: 1 Peter 5:7
Re: FIL-103-2005 Authentication in an Internet Ban - 11/16/05 05:50 PM
As I read the Guidance regarding the risk assessment, if you have a transactional website, that is "high risk" and high risk means two-factor authentication.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Ban - 11/16/05 09:54 PM
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Ban - 11/18/05 04:04 PM
Information Technology's Sizemore said that tokens will cost banks at least $10 to $15 apiece. Some estimates peg the cost of purchasing a token at $50 each.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/18/05 08:01 PM
Our bank is taking a different route entirely, due to reports that will be made available by our website host provider. Customer bill pay and transfer transactions will be monitored and any outside the norm will generate a real-time high-risk report that we will have to review, and possibly contact the customer. We can also e-mail a randomly-generated one-time pin or have additional security (additional security questions) at bill pay/transfer login.
We don't allow wires or ACH originations from our website, and require business customers to enroll in person to limit risk. So hopefully this will be sufficient; we live in an area at low risk for terrorist activity and money laundering.
Posted By: Anonymous
Re: FIL-103-2005 Authentication in an Internet Banking - 11/19/05 03:33 PM
I don't beleive being in an area considered low risk for terrorist activity and money laundering would negate the requirement of using dual authentification methods for online banking per the FIL. Your risk level has already been identified by the regulatory agencies and if you don't use dual authentifaction methods you are not complying.
Posted By: Click Here
Re: FIL-103-2005 Authentication in an Internet Banking - 11/26/05 10:04 PM
Has anyone thought about using electronic software tokens? They are much less expensive and can be delivered using a secure email system. And, if you feel portability is necessary to allow access to on-line banking from different computers, the end-user can store the token on a USB drive that can be further secured through encryption and/or password protection.
I currently use this method to remotely access our corporate intranet and it is easy to distribute, install and execute. And, I use an encryption tool that was downloaded for free to securely store the token and other confidential files on my laptop when I'm traveling or it's not in my presence. (Just in case)
Is it obvious?..after I made the transition from an extended career in the banking industry to information security consulting, I am becoming paranoid!
But trust me, it's not without good reason..
My personal home system is now protected by Anti-virus, Anti-spam, Anti-spyware and a firewall (with very few open ports
). I also store some files in encrypted folders and when at all feasible, I have very few microsoft products installed. I don't however, use IE!
I have also wondered how my own bank would react if I were to ask if they have an effective patch management program, periodic vulnerability scans and pen tests. But, I'm relatively certain that once their dazed and confused look subsides, my account would be flagged and I would forever be cast under a cloud of suspicion. If my account were not immediately closed that is!
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 11/27/05 08:58 PM
The tokens are not a viable means to prevent phishing, according to the bulletin. But I am not very familiar with this via email. How does it work and what are the strengths and weaknesses?
Posted By: Click Here
Re: FIL-103-2005 Authentication in an Internet Banking - 11/28/05 05:39 AM
Andy -
Obviously the biggest benefit of Soft vs. Hard tokens will be the cost and deployment. But, other than that, in my opinion it will depend on the product itself because there are so many variables. Several vendors are now providing soft tokens and the dynamics differ. However, based on the small amount of research I have done to date, most are based on the same challenge/response authentication method as hard tokens but they can be directly installed on your PC or laptop. Here is a very general summary that I found:
Quote:
Soft tokens are software-based token generating devices. The software token is installed on PCs, laptops, and hand-held computers. Once the PIN is activated, the token creates and sends the users's one-time password. The system's memory stores the secrets and the system's CPU is used to generate the password. Although there is some risk associated with storing the secrets on the system's memory, this risk is reduced by having the secrets encrypted. Also, because the token is installed on the system, anyone with physical access to the system can use it to authenticate, but they must know or guess the PIN to use it.
I'm not sure why this method would not be as effective as hard tokens to prevent phishing, as you can see, even if a user were to unknowingly give up passwords and/or PINs, the soft token has to be executed each time the user requests access to the protected site. And IMO, unlike a smartcard or key fob, when installed on a desktop, it is not likely that you will misplace the device. Your risk of this obviously does increase when stored on a USB drive and possibly a laptop.
The installation file can be received via email, and just as I have done, it can be further secured by storing it in an encrypted file. I'm not sure how feasible or easy to communicate to all end-users/customers this would be. I personally use True Crypt and it was not that difficult to install or to use.
Google "Software or Soft Tokens" and review the various vendor products.
Posted By: mtcrossranch
Re: FIL-103-2005 Authentication in an Internet Banking - 11/28/05 07:52 PM
So, is the conclusion that tokens are not effective and we should be looking into "mutual authentication?"
Posted By: 02bonne
Re: FIL-103-2005 Authentication in an Internet Banking - 11/28/05 10:21 PM
Superior mortgage got sued by the FTC for not encrypting emails. Although they claimed they were securing transmissions to their customers. I don't remember how much they got sued for though.
Posted By: btfitz0
Re: FIL-103-2005 Authentication in an Internet Ban - 01/06/06 08:19 PM
How can a hard token not be a viable means of security? For instance the RSA token changes its PIN every 60 seconds or so. So even if I did give it and my password and username to someone they would have to use it in 60 seconds or less. This seems highly unlikenly and very unreasonable to assume. If for some reason I lost my token it is my responisbilty to notify the bank, if someone was to find it and my username and password, how can I the customer have anyone to blame but myself?
Posted By: VT Banker
Re: FIL-103-2005 Authentication in an Internet Banking - 01/13/06 07:05 PM
Attended a NYCE webinar and a rep from FDIC said that this is NOT optional and will need to be in place by the end of 2006. Saw a demo of Bof A and that is the ideal solution. We're not sure our core bank processor is going to offer something along these lines. We know our customers will balk at a token and know the calls about lost tokens, etc would be a call center nightmare. Hopefully, the ideal solution will arrive- yes, I am a pollyanna.
Does anyone recall hearing that the risk assessment must be complete by March 31 (then with implementation by December 31)? Some of our group recalls this but none of us can find it in any documentation. Thanks!
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 03/04/06 09:31 PM
Implementation has a deadline, but not the testing. That may have been a recommendation so that you have time to review and implement what is needed.
Posted By: gsunshine
Re: FIL-103-2005 Authentication in an Internet Banking - 03/19/06 09:02 PM
Hi Andy,
I'm not sure what you mean by "testing"? Is there a working theory that a bank can have a multi-factor authentication solution in place in 2006 but does not need to have it tested and rolled out to all of it's customers until some time in 2007?
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Banking - 03/21/06 02:33 PM
By "test" I am referring to your risk assessments as you test/review your systems. And no, you don't really have into 2007. Examiners expect this to be done in 2006. They'll look at problems on a case by case basis but we have no idea how forgiving they'll be.
Posted By: inbtfa
Re: FIL-103-2005 Authentication in an Internet Ban - 06/08/06 05:13 PM
This is all so confusing. There are varied views on what is high risk. Is transfer of money to pre authorised accounts in other country a High Risk.
Posted By: inbtfa
Re: FIL-103-2005 Authentication in an Internet Banking - 06/08/06 05:19 PM
Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.
Is this solution acceptable to FDIC/FFIEC?
Posted By: Andy_Z
Re: FIL-103-2005 Authentication in an Internet Ban - 06/08/06 09:17 PM
I have had email server issues that slowed my email up more than that. And if you had a customer at an Internet cafe, would they be inhibited? (This situation may be far fetched, or it may not be.)
Posted By: inbtfa
Re: FIL-103-2005 Authentication in an Internet Ban - 06/09/06 04:30 PM
Is Internet Cafe a safe place to do online transactions ?
Posted By: inbtfa
Re: FIL-103-2005 Authentication in an Internet Ban - 06/09/06 04:35 PM
Such instances may be very rare? However is it not better than opting for costly tokens which also generate OTPs at regular intervals. Besides it definitively seems better option than the solutions which work on IP address recognition? What do others think?
Posted By: deppfan
Re: FIL-103-2005 Authentication in an Internet Banking - 06/09/06 05:04 PM
Quote:
Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.
Is this solution acceptable to FDIC/FFIEC?
Hmmm. Interesting. I'm not sure if that would qualify as something you "know" or something you "have". I think I could argue that both ways.
Posted By: MikeJ
Re: FIL-103-2005 Authentication in an Internet Banking - 06/09/06 06:39 PM
I don't know if you guys are aware of this company (and I have no comment or view on the actual product) but they have some pretty good information on this subject at
http://www.phishcops.com
Posted By: Kahola
Re: FIL-103-2005 Authentication in an Internet Banking - 06/16/06 09:28 PM
Does this apply to telephone banking? Our customers can call our 24 hour banking line to access their account balances and perform inter bank transfers?
Posted By: Oursisnottoreasonwhy
Re: FIL-103-2005 Authentication in an Internet Banking - 06/19/06 02:48 PM
It is my understanding per the Chicago FDIC Regional Office that it does encompass telephone banking products.
Posted By: Neytiri
Re: FIL-103-2005 Authentication in an Internet Banking - 06/20/06 07:33 PM
The OCC wants all non-Internet e-banking products included. For us this is only telephone banking, which is balance inquiry only. From what I have read, internal transfers are not high risk transactions whether by IB or automated phone transfer.
Posted By: Sentient
Re: FIL-103-2005 Authentication in an Internet Banking - 06/20/06 07:38 PM
Does anyone have a link to documentation that states Telephone banking should be included or excluded? I've heard verbal comments for either, but have yet to see any concrete documentation.
Posted By: vaforlovers
Re: FIL-103-2005 Authentication in an Internet Banking - 06/27/06 02:32 PM
What is everyone doing for the customer awareness program?
How are you going about educating the customers?
Posted By: RebekahL CRCM
Re: FIL-103-2005 Authentication in an Internet Banking - 06/28/06 09:32 PM
What about e-statements?
Currently, our customer uses a password to open an e-statement we've e-mailed to them. Would this be considered an "Internet-based product or service" subject to the multi-factor authentication requirements?
Obviously, no transactions are being initiated, but a sizeable amount of customer information resides in the statement info and imaged checks.
Posted By: inbtfa
Re: FIL-103-2005 Authentication in an Internet Banking - 08/30/06 04:56 PM
Is account number considered sensitive customer information
Posted By: Neytiri
Re: FIL-103-2005 Authentication in an Internet Banking - 08/30/06 07:13 PM
One quick place to look is in the 8/15/2006 FAQ FFIEC Guidance on Authentication in an Internet Banking Environment. Q-2 states that it applies to all forms of e-banking, including telephone banking systems.