Well, the much anticipated new set of guidelines supplement from FFIEC is released. A copy of it can be found here*.
OK, so what does it mean for all the financial institutions/banks who are guided by directly or indirectly (NCUA etc.) by the FFIEC guidelines? Three main themes are emphasized
- Password technology is obsolete
- Not enough to authenticate the online user (at login) but need to authenticate/authorize transactions to reduce risk of online fraud
- Layered-approach to risk assessment and fraud prevention
Taking a closer look at the above three, we have:
Passwords: Absolutely broken technology; With so many years in deployment, many of us have developed a deep affinity for password fields (in web/browser forms) that without them, we don’t have a sense of “feeling-secure”.
Today, authentication without passwords is “unthinkable” . However, it is possible to do away with passwords completely and at the same time get orders of magnitude security without the inconvenience of carrying any gadgets or downloading any crazy software on to your devices.
Beyond-login authentication: Essentially, what this means is, some one in the middle (between online user and the bank, call him/her (wo)man-in-the-middle) cannot simply hijack your “already logged-in session” with bank and carry out online fraud.
By authenticating transactions, especially involving money transfer, the financial institutions are making sure that a) indeed the legitimate user is initiating and authenticating the transaction and b) making sure that the user is aware of the transaction before approval.
And by the way, It is really foolish to ask for the same password or “the pets-name” repeatedly, as, once compromised through Phishing or Spyware/Malware, those can be easily reproduced by hackers.
Layered approach to risk: With the recent breaches at RSA and the token technology compromise, it is now a given fact that security approach has to be proactive and several layers need to be in place as check-points such that any breach can be reasonably detected or delayed.
What do all these mean to CIOs/CTOs/IT-Admins
Need to be proactive in adopting and testing new technologies based on sound principles. See our “Making a case for zero-footprint solution for online authentication” in this blog.
For the end-users: We will be soon looking at alternatives to Passwords. Yes, “Be Safe With No Passwords”
* The copy is provided for convenience-sake only; copyrights belong to the originating institution/authors