Re: Bankers on FFIEC

From: "William M. Davis" <WDavis@xxxxxxxxx>
Date: Thu, 15 Mar 2007 06:57:27 -0700

Ken,

The FFIEC guidance is just that it is guidance. It also does not require
multi-factor authentication; it does require that banks do a risk assessment
and adequately protect their systems. I agree that what most are doing is
not really multi-factor. However, additional questions can increase the
level of security and help justify the continued use of single factor
authentication until better, cheaper, easier methods are developed.

William M. Davis, CISSP, CISA
WDavis@xxxxxxxxx

----- Original Message ----- From: "Ken Kousky" <kkousky@xxxxxxxxxx>
To: <security-basics@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, March 14, 2007 5:42 PM
Subject: Bankers on FFIEC

The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the three
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.

Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?

KWK

References:
- The Value of GIAC/GSEC Certification
  - From: andrews
- Bankers on FFIEC
  - From: Ken Kousky

Prev by Date: Re: NOC password management
Next by Date: RE: The Value of GIAC/GSEC Certification
Previous by thread: Bankers on FFIEC
Next by thread: RE: The Value of GIAC/GSEC Certification
Index(es):
- Date
- Thread

Relevant Pages

Feds Want Banks to Strengthen Web Log-Ons
... Internet customers through authentication that goes beyond mere user ... Financial Institutions Examination Council said in a letter to banks ... customers must confirm their identities ... other merchants that are willing to "federate" their Web sites with ...
(comp.dcom.telecom)
Re: is ssl secure enough ?
... What's good enough for the banks is good enough for you: ... SSL with two factor authentication is generally a well accepted, ... standard design: yes. ... Dual-factor authentication will be a must and I ...
(microsoft.public.windows.server.security)
Re: Attacks on IPsec
... >These do not provide data encryption, ... >authentication (but I don't thin anyone uses them). ... I know of banks that use them over leased-line links to mainframes, ...
(sci.crypt)
Re: SSNs and the law - True or False
... Someone told me it was only legal for Banks. ... would be better as a second means of authentication? ... >> Social Security Number. ... > But I should clarify that it is a really bad idea... ...
(microsoft.public.security)
Bankers on FFIEC
... The FFIEC guidance on online banking calls for strong authentication, ... Does anybody have experience with this situation and understand how banks ...
(Security-Basics)