FFIEC Authentication Guidance Requires Smarter Device Identification for Banking Compliance
Posted July 6, 2011
Long-Awaited Supplement Cites the Need for Complex Device Identification and a Layered Security Approach for Banking Compliance to Combat Fraud
LOS ALTOS, CA – July 7, 2011 – ThreatMetrix™, the fastest growing provider of cloud-based fraud prevention solutions that do not require personally identifiable information (PII), today endorsed requirements for smarter device identification and a layered security approach for banking compliance in the new authentication guidelines recently issued by the Federal Financial Institutions Examination Council (FFIEC).
The new guidelines, which will take effect January 2012, serve as a supplement to the FFIEC’s “Authentication in an Internet Banking Environment,” that was first issued in October, 2005. At that time, first generation device identification technologies were implemented to meet new multi-factor and risk-based customer authentication requirements. This was based on the relative cost advantages and consumer convenience of using browser cookies and attributes as an additional authentication factor.
Six years later, cybercriminals, Trojans, botnets, and foreign government-sponsored fraud and espionage have evolved to such a degree that they can now decommission nuclear reactors, take governments and militaries offline, and steal billions in online consumer transactions. Likewise, many online bank accounts are still only protected by little more than a password and perhaps a cookie or IP address filter.
Topics Addressed in the New FFIEC Guidelines
The FFIEC authentication guidance specifically takes aim at banks that have cut corners and not kept up with the latest cookieless device identification technologies. Such technologies overcome the weaknesses associated with deleting or copying cookies or the use of compromised computers to spoof IP addresses and steal passwords.
The FFIEC guidance, which says in part, “…Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique…” also advises against simple challenge and response questions that rely on personal information, which is easily discovered.
“In anticipation of the new FFIEC guidance, ThreatMetrix has integrated advanced device identification capabilities into our products,” said Reed Taussig, president and CEO, ThreatMetrix. “ThreatMetrix customers can rest assured that they will receive a cost-effective and efficient platform that is in compliance with these new FFIEC guidelines in the area of advanced device identification. We wanted to take the guesswork out of determining whether or not our customers meet the new standards with respect to strong device identification. Using new rules available in the ThreatMetrix editor, our customers can now set all the required conditions to satisfy the FFIEC guidance in a matter of minutes with no additional cost or operational overhead.”
The ThreatMetrix™ Cloud-Based Fraud Prevention Platform provides financial institutions with smarter device identification and contextual risk scoring that complies with the specific layered customer authentication security program recommendations made by the FFIEC.
“Complex device identification is a key component of a layered security program, and was ranked among the most effective online fraud prevention technologies in a recent Aite Group survey of card security executives,” said Julie Conroy McNelley, senior analyst, retail banking practice, Aite Group.
Features of the ThreatMetrix Cloud-Based Fraud Prevention Platform
• Complex Device Identification: ThreatMetrix is the recognized gold standard for real-time device identification based on more than 150 browser and packet fingerprint attributes correlated across a global network. Unlike simple device identification techniques that rely on cookies for recognizing previously profiled computers, ThreatMetrix provides a complete analysis of a device’s browser and packet fingerprint during account origination, login and money transfers.
• Advanced Proxy Detection and Piercing: Unlike proxy IP lists that cannot detect hidden proxies and botnets, ThreatMetrix instantly pierces proxies to identify the true location of a fraudster.
• Identification of Compromised Computers: ThreatMetrix provides evidence-based compromised device and bot intelligence in real-time so an organization can make the appropriate decision to block, challenge, or review the attempted transaction.
• Detection of Fraud Rings: ThreatMetrix link analysis and automated behavior detection detects related accounts and transactions that otherwise go undetected.
• Automated and Manual Transaction Monitoring and Anomaly Detection at Both Login and Transaction Authentication: ThreatMetrix provides real-time contextual scoring based on device, customer and transaction attributes and historic analysis across all online transactions through a customer configurable policy engine. Alerts and transactions can be reviewed and analyzed in a powerful, intuitive and secure portal.
• Global Fraud Network Based on Device Transaction Intelligence: ThreatMetrix goes beyond inaccurate IP reputation to provide proactive protection based on collective intelligence of good and bad device interactions across its global network, without requiring extensive manual review.
• Solution Brief: ThreatMetrix™ Cloud-Based Fraud Prevention Platform
• Whitepaper: “Is Your Device ID Ready for the FFIEC?”
• Demo: ThreatMetrix SmartID™ Demo
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. Key benefits include an improved customer experience, reduced friction, revenue gain and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, e-commerce, payments and lending, media, government and insurance.