I’m sure most financial institutions are aware of the newly published FFIEC guidelines around banking authentication. So, I won’t belabor you with another blog on the detailed requirements that will be measured and audited against starting January 2012. That said, what I’d like to focus on is the one requirement that calls for increased multi-factor authentication.
This guideline is very specifically about the use of a layered approach to authentication, and the need for improved challenge questions. As I’ve discussed, today’s challenge questions have been criticized by the regulators as being overly simplistic and easy to compromise. Soon, financial institutions will be reviewed (and held accountable) at how effective they are around their ability to detect, prevent and analyze risks associated with protecting customers’ data and their identity. At a minimum, they should be able to show they are aware of the risks and are taking steps to close the gap.
In her recent blog, “Are Banks Missing the Fraud Mark?” Information Security Media Group’s Tracy Kitten said:
“But has our attention focused so much on technological threats that we’ve forgotten to lock the garage, through which low tech schemes sneak in and steal millions upon billions of dollars every year? Sadly, yes… I’m not suggesting we steer attention away from the cyber fight. Cyber threats are definitely a growing concern. But we can’t leave windows of fraud opportunity open to low-tech schemes, either.”
Not only do I agree with Tracy’s views, I would add that as IT departments try to pinpoint what areas to focus on to ensure their systems are protected from evolving threats, many are overlooking the primary attack vector – the call center.
One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to gain or change an address or account data that’s necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.
In the article, “PCI Council Issues Advice for Securing Card Data in Call Centers,” Jeremy King, European director of the Security Council, said one of the prime targets for criminals today are call centers. Today, preventing the stealing and changing of personal and financial data in the call center is the smartest Internet security investment a bank can make.
The fact is, if you want to automate business processes, enhance customer communications, comply with the spirit of the FFIEC guidelines and take advantage of new technologies, you should “bake” cyber security and risk management into all customer channels, including the “low-tech” telephone channel.
One of the primary benefits of the TrustID® Telephone FirewallTM solution that I’ve written about is how it is invisible to the criminals and undetectable to upstanding customers. Knowing what inbound calls are high risk prior to answering the call provides banking institutions a huge advantage over the criminals, and an opportunity to dramatically improve the customer experience through reduced interrogation, otherwise known as knowledge-based authentication (KBA), while fulfilling the FFIEC’s multi-factor authentication best practices for identifying customers.
Because the TrustID firewall is completely transparent to both customers and criminals, and developed using data from a highly complex telephone network, it doesn’t provide crooks with any insight into how they are detected. As a result, customers go about their business without interruption and crooks have nothing to test against to breach the system.
Tags: ANI Spoofing, Call Center, CallerID spoofing, identity authentication, KBA, knowledge-based authentication, Telephone Firewall solution, telephone fraud, TrustID
