The federal agency that regulates banks today issued new rules for online security for financial institutions, instructing them to use minimal types of "layered security" and fraud monitoring to better protect against cybercrime.
It's the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions.
MORE ON SECURITY: Smartphones and tablets create huge corporate security challenge
"The agency recommends that institutions offer multi-factor authentication to their business customers," the FFIEC guidance of today states.
The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of "positive pay," debit blocks and other technologies to appropriately limit the transactional use of the account.
The FFIEC guidelines also tell financial institutions they must use "two elements at a minimum" as "process designed to detect anomalies and effectively respond to suspicious and anomalous activity." The fraud-detection processes must include:
- initial login and authentication to customers requesting access to the institution's electronic banking system, and
- initiation of electronic transactions involving the transfer of funds to other parties.
Since 2005 when the FFIEC, on behalf of other federal government agencies with regulatory oversight of banks, issued its initial guidelines, banks have moved to deploy some different types of two-factor authentication more broadly.
The new guidance is more specific, and the FFIEC says that's because cybercrime against the banking industry and its customers is worse now.
"Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts," the FFIEC says.
Read more about wide area network in Network World's Wide Area Network section.