FFIEC’s 2021 Online Security Guidance and Beyond

In the summer of 2021, the FFIEC released its long-awaited updated guidance on online security “Authentication and Access to Financial Institution Services and Systems”. The last major guidance was in 2011, with a commentary on mobile security around 2015 in the FFIEC Examination Handbook. With a near 10-year gap in guidance, financial services organizations (FSOs) under the FFIEC, or not, have managed their online security risks beyond just waiting for the FFIEC to opine. New in this guidance is reference to important outside resources such as the National Institute of Standards and Technology (NIST), and for instance, the four volume NIST 800-63 series which are must reads for the online security practitioner.

This updated guidance begins with considering the threat landscape and the need to periodically complete a risk assessment, which are essential for any online security unit. New technologies are also highlighted, especially given the current threat landscape. Recognizing and monitoring new devices, the increased use of Application Programming Interfaces (APIs), and the use of cloud-based service providers are some of the areas not fully considered in previous FFIEC guidance¹. However, a major threat area not addressed in the guidance is the serious increase in the use of social engineering to commit online fraud, which we will address in detail.

In the next section, the FFIEC continues the discussions of layered security from 2011. Here they talk about using multi-factored authentication, transaction amount limits, assigning users rights data based on least privilege provisioning (most important for commercial web admins and commercial online users) as examples of using multiple layers of security to address one threat. For example, online account opening (OAO), where multiple layers of security are essential to prevent bogus account creation and is essential to interdict the threat of mule accounts. OAO is particularly vulnerable to the use of stolen PII and synthetic or manufactured identities. Assessing the risk of demographics used during OAO such as phone number, email and physical addresses, as well as the behavioral biometrics observed while the data is being entered is especially important to prevent OAO fraud. In addition to these risk factors, recognizing anomalous transactional behavior (e.g., high dollar deposits, velocity activity, etc.) compliments and increases the effectiveness of multiple layers of security.

On the commercial side, most FSOs have multiple layers of security around IP address and device information, detection of proxies and risky virtual private networks, and endpoint malware and anomaly detection on at least online wires and ACH. More sophisticated FSOs also add anomaly detection to offline wires and ACHs generated by the FSO’s corporate customers. Inbound wires and ACH will also be monitored to identify fraudulent funds from other FSOs intended for money mule accounts.

Next the guidance discusses Multi-Factor Authentication (MFA). MFA is defined by NIST as:

An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.²

The guidance does talk about a variety of MFA factors, to include hard and soft tokens typically used by FSO’s commercial customers today. There was comment in the previous Risk Assessment section stating that high risk users (e.g., users who have access to higher dollar deposits or a commercial web admin) should have a higher level of MFA security.

However, the guidance was not explicit in addressing the risks associated to three key aspects of MFA:

• The risk of One-time Passcodes (OTP) – The reality is most FSOs are still using basic OTP as the primary MFA through a phone number contained in the customer’s account profile. Cybersecurity professionals have long recognized the vulnerability of text message-based (SMS) OTP. For example, SIM swaps, phone porting, mobile network security vulnerabilities and fraudster-preferred social engineering of the customer to obtain the OTP code are all notable considerations of this weak method of authentication. Q6 Cyber also highlights the growing threat of OTP Bots:

“OTP bots are designed to socially engineer a victim into divulging sensitive information such as…two-factor authentication (2FA) codes associated with online banking or other valuable accounts. OTP bots introduce automation to what used to be a manually intensive social engineering process ³.

The number of fraud cases involving the failure of an MFA utilizing OTP through SMS is telling and highlights the growth of the account take-over (ATO) threat. There are many stories involving crypto-currency theft and Zelle fraud losses involving OTP through SMS. Strengthening your OTP through SMS until you can replace it with a more secure form of MFA is critically important to customer account protection and can be accomplished by:

1. Implementing mobile identity authentication confirming the phone number used for an OTP through SMS, actually belongs to the customer without missing high-risk factors (i.e. line age, porting history).
2. For mobile app transactions, validate that the mobile phone’s number is also owned by the FI customer.
3. Validate the location of the mobile phone matches location history.
4. Do not send OTP codes through SMS to non-fixed VOIP phone numbers.

The guidance states that the “use of single-factor authentication as the only control mechanism has shown to be inadequate” – we recommend the replacement of OTP through SMS as soon as possible, unless a layered security approach is employed to address risks identified for this weak form of MFA.

• When it comes to the consideration of continuous authentication, a number of FSOs are looking for ways to validate their customers throughout the online session. Behavioral analytics and biometrics are an excellent method to accomplish this. The passive nature of behavioral analytics and biometrics enhances the customer experience and reduces friction. 

• The growing importance of the ‘FIDO2/WebAuthn’ authentication standard has the potential to radically change the security of MFA. NIST calls FIDO2/WebAuthn the ‘level of assurance’ for MFA and FIDO2/WebAuthn is driving the very serious interest in and enthusiasm for passwordless forms of authentication. While many vendors are using standards like FIDO2/WebAuthn to create new forms of authentication, this FFIEC guidance should have mentioned this standard, particularly as it is agnostic of vendor selection or preference. In addition, as the guidance references, the ability to device bind (at the web browser, mobile browser or mobile app level) in conjunction with device authenticators (biometrics, ‘hard’ security keys) deserves additional consideration as more robust forms of maintaining strong authentication.

The guidance omitted other high-risk factors to traditional forms of MFA:

• Fraudsters bypassing MFA controls through errors in coding or implementation. New forms of MFA must be tested through the use of professional penetration testing capabilities.
• Impacts to MFA solutions due to Cloud outages or the failure of other web-based infrastructure – major Cloud providers are limited in number and these solutions are vulnerable to service interruption, as we recently saw with a major cloud service provider being down for many hours as recently as December 7, 2021 ⁴.

In the Threat Landscape section of the guidance, there is a discussion on the significant number of data breaches, which in essence is a major risk that combines several threats. Here fraudsters get customers’ usernames, passwords and PII data, including updated phone numbers. Unfortunately, many customers reuse their login credentials across multiple accounts and websites. Testing login credentials, as previously referenced, also utilizes OTP bots. To monetize data breaches, fraudsters will deploy credential stuffing against FSO websites (as well as eCommerce, health and insurance sites) to identify which credentials are still valid and active. Credential stuffing, as a form of a DDoS attack, can also cause customer friction as these attacks could temporarily cripple an FSO’s website, potentially even locking out good customers from their accounts. With the knowledge of valid and active login credentials, combined with known phone numbers, the fraudsters can log in to FSO websites successfully. When challenged with SMS OTP, this is easily defeated using the OTP bot program. The OTP bot program will automate socially engineering the customer to give up the OTP code. With the OTP code in hand, the fraudster can now log into the account if layered security is not employed (i.e. behavioral biometrics or mobile-centric identity authentication).

The next section of the guidance was brief on Call Center authentication. Call Centers are a big part of the process of the online environment. Online customers can do their banking work on the PC or mobile device, but often they contact the Call Center for help associated with online transactions. They can request a phone number change, call to approve a Zelle transaction, or even request a retail wire. Authentication and anomaly detection is crucial in the call center environment, where fraud knowledge and prevention is hampered by staff inexperience and/or lack of fraud knowledge.

A wide array of authenticators can be used in the call center environment. This includes voice biometrics (active and passive), advanced OTP, push notifications to an identity-authenticated mobile phone, inbound call verification from the FSO mobile app, etc. Information about the phone call itself could also be used to detect phone spoofing and phone print technology helps to identify a fraudster on the phone in real time.

Employing layered security, transaction anomaly detection of the call center transactions is also needed. Even better is cross-channel transaction anomaly detection covering web, mobile and call center transactions. Often times, monitoring transactions made before the person gets to the call center can be very valuable in assessing the risk of the call.

The guidance then moves on to User and Customer Awareness and Education. This education with the customer, both retail and commercial, may not always generate the reduced fraud exposure an FSO would like. As an attack vector that relies heavily on customer awareness and education, a customer’s lack of knowledge of social engineering tactics facilitates the fraudster’s ability to bypass authentication controls and/or make the transaction look legitimate. Customer education methods require new thinking about how to affect the behavior of the customer so that persuasion and confidence-based methods of socially engineering customers becomes harder for the fraudster to orchestrate and monetize in a large-scale manner.

The guidance also talks about explaining how FSO communications to customers (e.g., phone calls, text messages, etc.) are legitimate. There are vendor solutions that can help:

• DMARC-based email solutions can prevent unauthorized emails coming from the FSO’s domain.
• Call out in SMS messaging that the FSO will never ask for a customer to volunteer sensitive PII or account credentials.

The guidance added a new section on Data Aggregators and other Customer-Permission Entities (CPEs). This relates to the companies that aggregate a consumer’s financial information in one place and the concept of Open Banking. The guidance calls out for a “comprehensive risk management program … for credential and API-based authentication when CPEs access a financial institution’s information systems and customer information.”⁵ Given the number of serious recent third-party vendor breaches, interfaces with data aggregators and CPEs should always be treated as high risk.

APIs, in general, are becoming a high-risk attack vector. There are so many new APIs being created to support online banking, either in the core applications or in the supporting fraud controls, that FSOs need to truly understand and mitigate the threats against APIs. Gartner predicts by 2022 “API-based attacks will become the most frequent attack vector for applications.”⁶

The final section in the guidance concerns Customer and User Identity Verification. Here the guidance puts a big focus on identity verification “when establishing new customer accounts” ⁷ – remembering discussion earlier on OAO. A layered approach to security controls can effectively address threats to OAO, especially considering the wealth of stolen PII and synthetic/manufactured IDs available to fraudsters. Solutions can also vary between mobile and web (i.e. utilizing facial biometrics on the web is more difficult than on the mobile channel).

Finally, the guidance has an appendix that discusses controls (authentication controls, anomaly detection controls, etc.) that can be deployed for a number of online and call center activities. It is well worth the read.

Two areas that were not discussed in the guidance are:

• The mobile channel – With most of the traffic now coming from the mobile device, there should have been a discussion on mobile transactions. A recent report by NICE Actimize, “Fraud Trends from NICE Actimize Collective Intelligence” in December 2021 showed that mobile browsing had the highest fraud share across channels in Q1-Q3 2021.
• Customer online scams – This is the biggest gap in the guidance. So much fraud is now driven by social engineering against both commercial customers (Business and Vendor Email Compromise – BEC fraud) and retail customers (Consumer Email Compromise, IT repairman scam, romance scams, Zelle OTP scams). On the retail side, many of these scams are not covered by REG E (e.g., in legal parlance, they are considered authorized transactions by the customer and have previously been excluded by REG E for reimbursement of the fraud loss).

Beyond the Guidance

So we’ve read the guidance, what’s next? The most important part of the guidance is the Threat Landscape and Risk Assessment sections. Every FSO should be continually assessing online threats. And, in our opinion, at least once a year, the FSO should complete an online security risk assessment. This timing follows the general recommendations in the guidance. This assessment can be done in-house and/or with the help of an outside consulting firm. Outside help is recommended in that it keeps the assessment more up to date and should provide a perspective greater than just the FSO itself. This should be a formal document which lists all of the online and call center transactions, the associated threats, security gaps and the probability/severity of the security gaps turning into major fraud losses. This assessment should take into account the exposure/loss to both the FSO and the customer. It is also helpful to look over a current to two-year time threat horizon when assessing these risks.

Today, many of the online fraud losses have migrated to the FSO’s customer. With online security generally strong, many fraud attack vectors have moved to the customer. Take this into account in your risk assessment.

To help complete this risk assessment, below are some sample tables that can be created to help quantify the threats and the risk to transactions.

Sample List of Online Security Threats

Sample List of Transactions by Customer and Channel

Citations:

[1] FFIEC Authentication and Access to Financial Institution Services and Systems Guidance, 2021, page 3.

[2] NIST SP 800-63-3, Appendix A Definitions and Abbreviations

[3] https://q6cyber.com/blog/otp_bots_are_a_growing_threat/, Jessica Kelley, Q6 Cyber, December 6, 2021

[4] https://www.wsj.com/articles/amazon-outage-disrupts-lives-surprising-people-about-their-cloud-dependency-11638972001 December 8, 2021 Wall Street Journal

[5] FFIEC Authentication and Access to Financial Institution Services and Systems Guidance, 2021, page 9

[6] https://www.darkreading.com/emerging-tech/rise-in-api-based-attacks-underscore-investments-in-new-tools, December 15, 2021.

[7] FFIEC Authentication and Access to Financial Institution Services and Systems Guidance, 2021, page 10.