Meeting FFIEC Guidelines in Financial Institutions
1. W H I T E PA P E R
Meeting FFIEC Guidelines
in Financial Institutions
Unify Device ID and Malware Protection for Complete Security
2. W H I T E PA P E R
Times Have Changed, Ensure You Are Also Adapting
The 2005 Federal Financial Institutions Examination Council’s guidance “Authentication in an
Internet Banking Environment” ushered in a new era of online banking security protections, and
with it a wave of technology upgrades and company acquisitions as banks and their vendors
scrambled to meet compliance. As a result, various device identification technologies were
implemented to meet new multi-factor and risk-based customer authentication requirements.
These technologies were primarily based on the relative cost advantages and consumer
convenience of using browser cookies and attributes as an additional authentication factor.
Six years later cybercriminals, Trojans, botnets, and foreign government-sponsored espionage
have evolved to such a degree that they can now decommission nuclear reactors, take
governments offline and steal billions in online consumer transactions while many online bank
accounts are still only protected by little more than a password and perhaps a cookie plus simple
hash of browser and IP attributes.
In addition session hijacking, man-in-the-middle, cross-site attacks and other malware are making
device ID less effective as a stand-alone threat prevention. Cybercriminals are now able to initiate
fraudulent transactions from a legitimate account owner’s own desktop, laptop or mobile device.
In light of these trends, the FFIEC published a supplement to its 2005 Guidance that reinforces
the earlier Guidance, as well as recommends, among other techniques and technologies, a
“layered security” approach. Banks will need to adopt complex device identification, as well as
malware protection to satisfy this layered security recommendation, and to meet today’s challenge
of widespread identity and password theft, botnets, Trojans and the proliferation of the number
and types of devices connected to the Internet while still safe guarding customer privacy, trust and
convenience.
Federal Financial Institutions Examination Council (FFIEC) Guidelines
Banking and financial institution customers are increasingly using online mechanisms to execute
financial transactions. Retail and business banking customers check their balances, pay bills,
transfer funds and conduct many different transactions over the internet. These customers are
also using an increasing variety of devices that include not only PCs, desktops and laptops but
also smart phones, tablets and a host of mobile computing and communication devices. At the
same time online cybercrime targeting online banking has exploded as fraudsters develop and
deploy ever more sophisticated methods and malware to attack internet banking transactions.
In response to these trends, in October 2005 the Federal Financial Institutions Examination
Council (FFIEC) had issued guidance called “Authentication in an Internet Banking Environment”,
also known as the 2005 Guidance or Guidance. This provided a risk management framework
2
3. W H I T E PA P E R
for financial institutions that offered online banking facilities to their customers. These guidelines
recommended financial institutions use effective customer authentication methods, and that
institutions perform periodic risk assessments and deploy control mechanisms in response to
these assessments.
In 2011, the FFIEC released a supplement reinforcing the fundamentals of its 2005 Guidance,
but also updating the Council’s security and fraud prevention expectations. The 2011 Supplement
realizes that the controls outlined in the earlier Guidance have largely become less effective.
The Supplement therefore calls for a “layered security approach”, “complex device identification”
and “anti-malware software” particularly to protect against “advanced versions of malware [that]
continuously alter their signature”.
Simple Device Identification Is Ineffective
The 2011 FFIEC Supplement to the Guidance specifically calls out simple device identification,
which financial institutions implemented in response to the 2005 Guidance, as a less secure
mechanism. Simple device identification relies on a cookie placed on the customer’s device once
the customer confirms that is the same device used to login to an online financial institution using
their username and password. This technique however, is easily circumvented by users wishing
to stay anonymous, and by criminals intent on committing fraud. Fraudsters are easily able to
intercept cookies, copy them to fraudster’s device and use cookie-poisoning and cookie-forging
to impersonate the legitimate customer. Further ringing the death knell for cookies are “private
browsing” modes available in every browser available today, and that future versions of major
browsers will have these modes turned on by default.
Simple device identification also relies on tracking the location of the customer’s device through
geo-location or IP address analysis. However these methods are also easily duped by proxy
servers placed in seemingly “valid” locations and used to mask the physical location of the
fraudster’s device.
Another simple device identification technique is to use Flash or JavaScript to collect device
specific information. This once again, is not reliable since more mobile customers change physical
location, browsers or use a new class of devices that block Adobe Flash applications. In addition,
fraudsters will try to confuse Flash or JavaScript based device identification by blocking browser
settings, disabling objects in the browser and disallowing Flash altogether.
Financial Malware Is Rampant
Not only are hackers dedicated to confuse and circumvent the identification of the customers’
devices, they are also developing techniques that leverage legitimate users’ own devices to
conduct financial fraud.
3
4. W H I T E PA P E R
The FFIEC Supplement stresses the need for risk assessment and malware protection. This guidance
is in accordance with the “Layered Security” approach recommended by the 2005 Guidance as well
as the 2011 Supplement. But the need for anti-malware software has become a necessity in today’s
environment as savvy hackers and specialized organized financial crime groups have developed an
array of tools designed to execute fraud and attacks.
Trojans, root-kits, session hijacking, cross-site attacks, hidden malware and Man-in-the-Browser
attacks like Zeus, Spyeye, Carberp, Silon and others use a variety of mechanisms to insert malicious
commands into transactions. These mechanisms can be used to initiate fraudulent banking and funds
transfer transactions, or to execute fraud through existing sessions that a customer may have started.
Mobile devices and the Android OS for phones and tablets is particularly vulnerable. Because of its
unregulated nature, there are hundreds of malicious software programs in the Android marketplace and
hundreds of Android devices have unwittingly been infected with this malware.
The FFIEC Supplement also explicitly points out keylogging malware as a dangerous threat. Keyloggers
can be silently installed on target devices through phishing, by visiting an infected website or even
as a hardware capture device. This spyware captures keystrokes entered by the customer, including
usernames and passwords to online financial institution websites and other personal identification
verification details. This information is then used along with stolen browser cookies to conduct
fraudulent financial transactions in the victim user’s bank account.
FFIEC Compliant Solution : Device ID and Anti-Malware
To effectively comply with the updated FFIEC guidance, financial institutions should deploy a solution
that unifies device identification and sophisticated malware protection into a single fully integrated
solution. By taking this unified approach, financial institutions are able to protect the integrity of online
transactions from fraudsters who may be trying to commit fraud from their own devices, as well as
from fraudsters that may be leveraging malware on unsuspecting customer devices to execute fraud
from previously identified devices. A major benefit of deploying a combined solution is that it greatly
enhances fraud prevention effectiveness by providing overall visibility and context, making each
individual part more effective.
Complex Device Identification
An advanced device identification technology that satisfies the FFIEC recommendation for cookie-less,
complex device identification should use multiple methods to expose an individual’s true intent.
Cookie-less Device Identification
Malware and fraudsters routinely delete, steal and tamper with browser and Flash cookies. Passively
collected device attributes to identity devices without requiring software or hardware tokens provides a
first layer of defense across all Website interactions. Cross correlating device fingerprint attributes and
behavior with session and browser cookies provides an additional layer of authentication.
4
5. W H I T E PA P E R
Real-time Complex Attribute Detection
Cybercriminals routinely manipulate device parameters to evade detection. Worse, basic attribute
matching based on hashing browser and IP attributes can create unnecessary false positives and
customer com- plaints. Complex device identification provides complex attribute matching in real-time
at the time of transaction for persistent identification of a visitor even when IP or browser attributes
change.
Packet and Browser Fingerprinting
Attributes collected from the browser and IP address are trivial to spoof. Complex device identification
adds passive packet fingerprinting for greater resolution and spoof protection.
Proxy-piercing and True Origin Detection
Based on browser and packet fingerprint interrogation, complex device identification automatically
detects and classifies MITM attacks and bypasses hidden proxies to reveal the true IP address,
geo-location and origin of the transaction.
Compromised Device Detection
Financial institutions not only need to identify a customer’s device, they also need to know whether that
device is now compromised and infected. Subscribing to IP reputation feeds is not enough if the botnet
intelligence cannot be acted on while the customer is on the page.
Global Device Recognition and Confidence Scores
Reputation is subjective, but actions speak louder than words. Banks need the ability to analyze and
incorporate fact-based behavior into risk models across departments and companies. Confidence
scores must be not only based on global collections of device profiles, but must also take the bank’s
specific organizational business processes and risk tolerance into account in order to reduce false
positives.
Sophisticated Malware Protection
The FFIEC Guidance and Supplement advocate a layered approach to online transaction security. In
addition to threats initiated from fraudsters’ machines, financial institutions are also facing attacks from
widespread identity and password theft, botnets, Trojans and root-kit based malware. While complex
device identification remains the most cost effective first perimeter of defense for customer
and transaction authentication, banks also need to add a layer of malware threat intelligence and
anti-malware defenses to meet new draft FFIEC Guidance.
A compliant malware protection solution must ensure the devices connecting into your network or
web application are safe and secure. Additionally, built in fraud detection should alert you to the first
indicators of a compromise that could otherwise be missed.
5