ThreatMetrix on FFIEC New Authentication Guidance: Banks Must Move Quickly to Adopt Smart Device Identification Technologies
Posted March 24, 2011
In Response to the Recently Released Draft of the FFIEC’s New Online Authentication Guidance, ThreatMetrix Outlines the Case for Smarter Device Identification Technologies
Los Altos, CA – March 24, 2011 – ThreatMetrix™, the fastest-growing provider of cloud-based fraud prevention solutions that do not require personally identifiable information (PII), has outlined its positioning on why banks will need to adopt smart device identification technologies to meet the new guidelines outlined by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC authentication guidance was recently initiated to meet today’s growing online security challenges.
In 2001 the FFIEC’s “Authentication in an Internet Banking Environment” ushered in a new era of online banking security protections, and with it a wave of technology upgrades and company acquisitions as banks and their vendors scrambled to meet compliance. As a result, basic forms of device identification technologies were implemented to meet multi-factor and risk-based customer authentication requirements.
“Today, while cybercriminals, Trojans, and botnets have radically evolved, many online bank accounts are still only protected by little more than a cookie and a simple hash of browser and IP attributes,” said Reed Taussig, president and CEO, ThreatMetrix. “Banks need smarter device identification to meet new FFIEC requirements for more rigorous forms of customer and transaction authentication.”
What can a bank do to minimize risks during customer and transaction authentication?
The first step towards reducing unnecessary risks and fraudulent activity is to understand the critical limitations of existing simple device identification methods. Some of the glaring weaknesses include:
• The reliance of existing technologies on cookies or cookie equivalents.
o Cookies and Flash cookies are easy to delete and compromise, while private browsing modes included in most popular browsers makes it easier for fraudsters to hide.
• The reliance on very limited data to fingerprint a customer’s device.
o Simple device fingerprinting technologies only gather information about the browser and clock which are easy to spoof and subvert and ignore important security information.
• The reliance on overly simplistic analysis.
o Simple hashing techniques miss fraud and cause false positives and simple IP proxy lists are ineffective against man-in-the-middle (MITM) attack detection.
• The lack of real-time device identification.
o Simple device identification does not provide support for compromised device detection at the time of transaction.
The next step is to realize that smart device identification can now detect very sophisticated fraudulent activity through:
• Cookieless device identification
• MITM detection technologies
• Compromised device and script detection
• Global device recognition and behavior tracking
• Context aware risk based assessment across customer and transaction authentication processes
Given significant benefits associated with the evolution of device identification, ThreatMetrix recommends that banks and financial institutions move quickly to adopt smart device identification technologies.
Upgrade current customer device identification
While customer device identification remains the most cost effective first perimeter of defense for customer and transaction authentication, banks need to adopt smart device identification technologies in light of widespread identity and password theft, botnets and Trojans, and the proliferation of the number and types of devices connected to the Internet. New device identification solutions provide these benefits while allowing banks to safe-guard customer privacy, trust and convenience.
For more information, download the full ThreatMetrix whitepaper: “Is Your Device ID Ready for the FFIEC? Smart Device Identification for Online Banking.”
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. Key benefits include an improved customer experience, reduced friction, revenue gain and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, e-commerce, payments and lending, media, government and insurance.