How Oracle Adaptive Access Manager (OAAM) address FFIEC supplement to Authentication in an Internet Banking Environment.

By Arun Kothanath

Disclaimer:

The following write up is a response to the FFIEC supplement of June 2011 by Integral Business Solutions from it’s experience in the field of fraud management and deployment of OAAM. These are suggestive material only and are not to be recommendations from Oracle or Integral Business solutions. Institutions should implement appropriate risk assessment and mediation mechanisms according to their own business requirements.

Background

On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to the Authentication in an Internet Banking Environment guidance first issued in Oct. 2005. The FFIEC considered that further guidance was appropriate due to the continued growth of electronic and mobile banking and greater sophistication of the associated threats, which have increased risks for financial institutions and their customers.

The FFIEC member agencies have directions to members to initiate assessments against these expectations by January 2012.

Overall this supplement emphasizes specifically on a few things such as,

- Importance of risk assessment and risk management (as described in the 2005 release)

- Inadequacies of the current “enhanced” authentication mechanisms customers have adopted post 2005 guidance.

- Importance of a layered security and control points

- Importance of a focused and effective awareness program.

Although OAAM as a framework of technology provides answers and solutions to most or all of the suggestions in the supplement, a closer look is given in the following sections on some specifics and how some customers are trying to address these.

Many OAAM customers have initiated deploying OAAM in a phased manner as the result of the 2005 guidance stressing on enhancing authentication. How ever, the successive phases should now include the recommendations in the “Specific Supervisory Expectations” as defined in this supplement.

Specific Supervisory Expectations

Risk Assessments:

Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. -FFIEC

OAAM can provide a number of reporting data and trending information to support risk assessments, but not limited to, in the following areas.

- Snapshot of internal and external threat environments

- Behavioral changes in the customer base

- Account of all incidents, near incidents, risk profile of transactions and activities etc.

The OAAM Risk Analytics, Behavioral Profiling and Universal Risk Snapshot will enhance all the Risk Assessment by providing relevant snapshots, trending and incidents data.

Many customers have initiated inclusion of their high-risk financial applications in to the OAAM framework beyond inspecting the authentication. Organizations are considering real-time risk evaluations and near real time risk evaluations to facilitate proactive and reactive actions to remediate the risk.

Customer Authentication for High-Risk Transactions

The FFIEC member agencies expect that financial institutions will implement more robust controls as the risk level of the transaction increases. Financial institutions should implement varying levels of layered security (as discussed briefly below) consistent with the risk level of the transaction. In addition to layered security, the Supplement recommends that financial institutions offer multifactor authentication for their business/commercial banking customers.

The 2005 Guidance’s definition of “high-risk transactions” remains unchanged, i.e., electronic transactions involving access to customer information or the movement of funds to other parties. However, since 2005, more customers (both consumers and businesses) are conducting online transactions. The Agencies believe that it is prudent to recognize and address the fact that not every online transaction poses the same level of risk. Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases. - FFIEC

The above requirements lead in to a Layered Security Programs as directed in the supplement. These layered programs are required to, but not limited to, the following.

FFIEC directive	What OAAM can do
Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response	OAAM can provide a framework for fraud detection based on several static and dynamic policies tailored to an application or institution. These policies will consider behavioral profiling, risk profiling and customer history.
The use of dual customer authorization through different access devices;	Customers can make use of OTP any where via SMS to provide Out Of Band authentication via different devices.
The use of out-of-band verification for transactions;	The same OTP Anywhere with OOB can be used to re-authenticate users on high-risk transaction initiation.
The use of “positive pay,” debit blocks, and other techniques to  appropriately limit the transactional use of the account	OAAM provides a variety of policy options to implement complex business requirements. These are invoked in real time for proactive management or near real time for alert and remediation purposes.
Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times)
Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities	OAAM provides excellent white/black listing and grouping capabilities to dynamically create “suspicious” lists of devices, IP etc. that can be used to determine the risk of an authentication or transaction.
Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels	OAAM can re-authenticate the users via KBA or OTP/OOB to complete such scenarios.
Detect and Respond to Suspicious Activity	OAAM can effectively detect anomalies the initial authentication request and initiation of risky transactions such as “transfer of funds”. OAAM can correlate the authentication event to a transaction and provide a real time risk factor which can be used to remediate the risk manually or in an automated way.
Control of Administrative Functions	Any control changes can initiate a higher risk score and thus initiate an Out Of Band Authentication. This will enhance the control in risky administrative functions based on static business rules or dynamic risk profiling.
Effectiveness of Certain Authentication Techniques
Device Identification	Unlike most existing systems, OAAM does not identify the device just by a cookie or IP address. OAAM rules can create a fingerprint for a device and the relationship to its user via a number of parameters and the relationship of these parameters.
Challenge Questions	OAAM provides a very high degree of flexibility in the challenge/response process. The OAAM Knowledge Based Authentication can be invoked at any point for re authentication. E.g if a particular transaction a user initiated resulted in a higher risk score, OAAM can initiate a challenge/response process to re-authenticate the user and complete the transaction.

Further more, OAAM provides an OTP anywhere, which allows end users to authenticate themselves by entering a server, generated one-time-password in a web form they receive via SMS, email, and instant message or voice channels. When the OTP is sent via SMS, the user’s cell phone serves as a physical second factor the user has in their possession. As well, the authentication is being sent out-of-band to increase the level of assurance that only the valid user has access to the one-time-password. Features such as Answer Logic and OTP Anywhere can dramatically increase web application access security in an exceptionally cost-effective and usable manner.

Many customers are enhancing their OAAM deployment in to next phase of activities, which will address most or all of the above concerns noted in the current FFIEC supplement. Some of the steps taken by various institutions include,

- Deploy OAAM for transactional analysis beyond authentication

- Tighter device Identification rules.

- OTP anywhere with Out of Band such as SMS.

- Invoke transactional rules based on thresholds, risk, behavior and privilege

- Bring as many applications under the OAAM fraud-monitoring umbrella so that the overall risk posture can be evaluated in real time or near real time.

- Increase reporting on real time and near real-time activities

- Provide extensive Investigation and Forensic capabilities to fraud engineers.

- Create a tighter “trust” mechanism by implementing appropriate rules and policies.

- Review threats, risks and remediation policies frequently.

As a result, institutions have started defining a number of phased approaches to deploy the required controls incrementally. Following is such an example of a phase approach.

Conclusion

The 2005 and 2011 directives from FFIEC signify one thing. Knowing who the user is not enough. The user and his/her actions have to be put in to context of what is the risk to the institution is going to be. This will require all financial applications to assess risk in real time and provide remediation actions in real-time or near real-time. OAAM will provide a robust framework for efficient real-time risk assessment of transactions and proactive control enforcement for the institution. Regulations may be introduced, altered and enforces – the bottom line is to reduce the threat and risk to the institution and it’s users.