By Arun Kothanath
The following write up is a response to the FFIEC supplement of June 2011 by Integral Business Solutions from itâ€™s experience in the field of fraud management and deployment of OAAM. These are suggestive material only and are not to be recommendations from Oracle or Integral Business solutions. Institutions should implement appropriate risk assessment and mediation mechanisms according to their own business requirements.
On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to the Authentication in an Internet Banking Environment guidance first issued in Oct. 2005. The FFIEC considered that further guidance was appropriate due to the continued growth of electronic and mobile banking and greater sophistication of the associated threats, which have increased risks for financial institutions and their customers.
The FFIEC member agencies have directions to members to initiate assessments against these expectations by January 2012.
Overall this supplement emphasizes specifically on a few things such as,
- Importance of risk assessment and risk management (as described in the 2005 release)
- Inadequacies of the current â€śenhancedâ€ť authentication mechanisms customers have adopted post 2005 guidance.
- Importance of a layered security and control points
- Importance of a focused and effective awareness program.
Although OAAM as a framework of technology provides answers and solutions to most or all of the suggestions in the supplement, a closer look is given in the following sections on some specifics and how some customers are trying to address these.
Many OAAM customers have initiated deploying OAAM in a phased manner as the result of the 2005 guidance stressing on enhancing authentication. How ever, the successive phases should now include the recommendations in the â€śSpecific Supervisory Expectationsâ€ť as defined in this supplement.
Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. -FFIEC
OAAM can provide a number of reporting data and trending information to support risk assessments, but not limited to, in the following areas.
- Snapshot of internal and external threat environments
- Behavioral changes in the customer base
- Account of all incidents, near incidents, risk profile of transactions and activities etc.
The OAAM Risk Analytics, Behavioral Profiling and Universal Risk Snapshot will enhance all the Risk Assessment by providing relevant snapshots, trending and incidents data.
Many customers have initiated inclusion of their high-risk financial applications in to the OAAM framework beyond inspecting the authentication. Organizations are considering real-time risk evaluations and near real time risk evaluations to facilitate proactive and reactive actions to remediate the risk.
The FFIEC member agencies expect that financial institutions will implement more robust controls as the risk level of the transaction increases. Financial institutions should implement varying levels of layered security (as discussed briefly below) consistent with the risk level of the transaction. In addition to layered security, the Supplement recommends that financial institutions offer multifactor authentication for their business/commercial banking customers.
The 2005 Guidanceâ€™s definition of â€śhigh-risk transactionsâ€ť remains unchanged, i.e., electronic transactions involving access to customer information or the movement of funds to other parties. However, since 2005, more customers (both consumers and businesses) are conducting online transactions. The Agencies believe that it is prudent to recognize and address the fact that not every online transaction poses the same level of risk. Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases. - FFIEC
The above requirements lead in to a Layered Security Programs as directed in the supplement. These layered programs are required to, but not limited to, the following.
What OAAM can do
|Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response||OAAM can provide a framework for fraud detection based on several static and dynamic policies tailored to an application or institution. These policies will consider behavioral profiling, risk profiling and customer history.|
|The use of dual customer authorization through different access devices;||Customers can make use of OTP any where via SMS to provide Out Of Band authentication via different devices.|
|The use of out-of-band verification for transactions;||The same OTP Anywhere with OOB can be used to re-authenticate users on high-risk transaction initiation.|
|The use of â€śpositive pay,â€ť debit blocks, and other techniques to â€¨appropriately limit the transactional use of the account||OAAM provides a variety of policy options to implement complex business requirements. These are invoked in real time for proactive management or near real time for alert and remediation purposes.|
|Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times)|
|Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities||OAAM provides excellent white/black listing and grouping capabilities to dynamically create â€śsuspiciousâ€ť lists of devices, IP etc. that can be used to determine the risk of an authentication or transaction.|
|Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud|
|Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels||OAAM can re-authenticate the users via KBA or OTP/OOB to complete such scenarios.|
|Detect and Respond to Suspicious Activity||OAAM can effectively detect anomalies the initial authentication request and initiation of risky transactions such as â€śtransfer of fundsâ€ť. OAAM can correlate the authentication event to a transaction and provide a real time risk factor which can be used to remediate the risk manually or in an automated way.|
|Control of Administrative Functions||Any control changes can initiate a higher risk score and thus initiate an Out Of Band Authentication. This will enhance the control in risky administrative functions based on static business rules or dynamic risk profiling.|
|Effectiveness of Certain Authentication Techniques|
|Unlike most existing systems, OAAM does not identify the device just by a cookie or IP address. OAAM rules can create a fingerprint for a device and the relationship to its user via a number of parameters and the relationship of these parameters.|
|OAAM provides a very high degree of flexibility in the challenge/response process. The OAAM Knowledge Based Authentication can be invoked at any point for re authentication. E.g if a particular transaction a user initiated resulted in a higher risk score, OAAM can initiate a challenge/response process to re-authenticate the user and complete the transaction.|
Further more, OAAM provides an OTP anywhere, which allows end users to authenticate themselves by entering a server, generated one-time-password in a web form they receive via SMS, email, and instant message or voice channels. When the OTP is sent via SMS, the userâ€™s cell phone serves as a physical second factor the user has in their possession. As well, the authentication is being sent out-of-band to increase the level of assurance that only the valid user has access to the one-time-password. Features such as Answer Logic and OTP Anywhere can dramatically increase web application access security in an exceptionally cost-effective and usable manner.
Many customers are enhancing their OAAM deployment in to next phase of activities, which will address most or all of the above concerns noted in the current FFIEC supplement. Some of the steps taken by various institutions include,
- Deploy OAAM for transactional analysis beyond authentication
- Tighter device Identification rules.
- OTP anywhere with Out of Band such as SMS.
- Invoke transactional rules based on thresholds, risk, behavior and privilege
- Bring as many applications under the OAAM fraud-monitoring umbrella so that the overall risk posture can be evaluated in real time or near real time.
- Increase reporting on real time and near real-time activities
- Provide extensive Investigation and Forensic capabilities to fraud engineers.
- Create a tighter â€śtrustâ€ť mechanism by implementing appropriate rules and policies.
- Review threats, risks and remediation policies frequently.
As a result, institutions have started defining a number of phased approaches to deploy the required controls incrementally. Following is such an example of a phase approach.
The 2005 and 2011 directives from FFIEC signify one thing. Knowing who the user is not enough. The user and his/her actions have to be put in to context of what is the risk to the institution is going to be. This will require all financial applications to assess risk in real time and provide remediation actions in real-time or near real-time. OAAM will provide a robust framework for efficient real-time risk assessment of transactions and proactive control enforcement for the institution. Regulations may be introduced, altered and enforces â€“ the bottom line is to reduce the threat and risk to the institution and itâ€™s users.