Last week, the FDIC released an FAQ (link: http://www.ffiec.gov/press/pr081506.htm) on authentication guidance for the new regulations that came out last fall. On the whole there are only a few surprises for anybody who's been paying close attention to this issue, but it's still helpful to have these issues clarified. The one thing this FAQ made clear is that the overall trend has been to extend the reach of this guidance rather than narrow it.
For example, it tackles the question of whether the guidance applies to telephone banking systems? Yes. Any cursory reading of last fall's guidance would NOT have led you to believe that tele-banking would have been included. But it is. And how about call centers, are they included? Surprisingly, yes! This whole authentication issue got started with last October's guidance, and at that point it seemed primarily about Internet banking. And now even call centers are included. So there has been scope creep.
Overall that is not a bad thing from a security perspective, but we anticipate that, for these scope creep categories, most financial institutions will NOT have much more than a plan and a risk analysis in place by the end of 2006, if even that much. But the agencies continue to beat the drum of year-end 2006 complete compliance, and with the ever expanding scope.
We notice in the FAQ one particular question that has been vexing most readers of last year's guidance: does the guidance explicitly require the use of multi-factor authentication? The answer is no. The best way to think about the guidance, is that it is about strengthening your authentication controls around the high-risk transactions identified in the guidance. Simple use of username and password is never sufficient for "high risk" transactions. You must implement stronger authentication. And do a risk analysis of course.
The overall tone of the FAQ is, "Yes, we mean it." Yes, you have to have the authentication countermeasure in place by year-end, and yes you have to have done your risk analysis around authentication by year-end. And we know this is NOT the end of this issue. Because ultimately authentication is not a silver bullet for combating identity theft issues, or Phishing, or Pharming, etc.
We are all in a long war, which will be fought on many fronts, there will be new technologies, there'll be new regulations and we are a long way from seeing that we can get the risk of identity theft down to an acceptable level. The best approach to this issue is to think of it this way, the agencies can force you to fight this battle, but you are going to have to figure out how to win it on your own.
CTU Research Incident Response and Management Information Security Intelligence Risk Management