Two of my favorite words are demystify and lucid. According to The American Heritage® Dictionary of the English Language, Fourth Edition, demystify means to make less mysterious or remove the mystery from. Lucid is defined as easily understood or intelligible.
The FFIEC guidance from Oct. 12, 2005, Authentication in an Internet Banking Environment, has yet to be demystified or achieve even a remote status of lucidity.
Clarity on the horizon?
On Friday, December 2, 2005 more than 100 BITS Financial Services Roundtable members and senior officials from four of the agencies (FDIC, Federal Reserve Board, Office of Thrift Supervision and the Office of the Comptroller of the Currency) involved in drafting this now infamous guidance participated in a conference call. Truth be told, no GonzoBankers were invited to this call; our legal team, headed up by Señor Hodge, is demanding answers to how such an injustice could have occurred. Nevertheless, our Gonzo intelligence team uncovered a highlights document from this conference call. We feel it is our duty to inform our loyal constituents about some of FFIEC’s clarifying responses. Included with the following responses are questions and/or comments Gonzo would have asked or made if ….well you know.
This last statement was by far my favorite of the 51 questions answered:
What this means, of course, is that there will be no consistency in how examinations are conducted because each FFIEC agency will have its own interpretation of the guidance. I feel better already.
GonzoBankers, let’s get serious for a moment. Why are we having such a difficult time with this one FFIEC guidance? It is not as if we haven’t had to comply with other guidelines in the past. Maybe it is the Internet factor and we just are not sure where to start. Or maybe it has been all the noise from a few PR-driven vendors scaring the hell out of us then quickly proclaiming, “We have your silver bullet.” Or possibly it’s because (as pointed out above) even FFIEC isn’t sure what it is looking for. My guess is it’s a little bit of all of that plus a whole lot more.
View the Internet like a new branch
For just a moment, let’s forget about the FFIEC guidance and think about building a new branch.
When you build a new branch, is your only security measure a lock on the front door? Besides the lock on the front door, at most branches you employ some if not all of the following:
Hopefully you are starting to get the picture. The Internet channel has matured; consequently, the potential risks and threats have also matured. Therefore, it is time we begin to view our online banking, oops, electronic banking security just as we do all other forms of bank security – a little more thought and some big picture thinking can go a long way. That said, why not start by doing a risk assessment. Novel idea, huh?
You may actually find that you don’t need to do anything because the functionality offered via your electronic banking is deemed by the bank to be low risk. On the other hand, you may find the results of your risk assessment warrant you update your resume because it is only a matter of time before the contents of the vault are electronically transferred via the Internet to some remote island off the coast of Greenland. Or maybe you consider your job is done because you jumped on the bandwagon and changed the lock on the Internet front door. Possibly, but what happens if that lock is picked? Will you even know it happened? If it is picked, what will you do about it once the fraud and theft have occurred?
Spotlighting some lesser known solutions
There are a few vendors who seem to be hogging all the press these days surrounding this particular FFIEC guidance: RSA Security (proud owner of Cyota and recently Passmark), Corillian and Digital Insight. In the spirit of Gonzo we feel it is appropriate to highlight some other solutions that you may not have heard of because they don’t have the PR mechanics of some of these folks. That said, here is where the disclaimer comes in: Cornerstone Advisors and GonzoBanker do not endorse any of the following vendors, nor do we recommend their solutions.
Following Part 1 of this series I received a dozen or so calls from vendors wanting to demo their solutions to me. Believe it or not, I agreed to about half of them and decided to simply point out three companies that I believe stood out from the pack. Each company chosen does more than just change the lock, so to speak, on your electronic banking front door – not that changing the lock won’t work for your bank. Okay, enough legal disclaimer stuff.
Founded: September 2003
Headquarters: Santa Clara, CA
Cydelity maintains its solution offers the only integrated login authentication and transaction monitoring solution to detect, isolate and prevent online fraud. Cydelity’s solution is non-intrusive; behind the scene it monitors and validates all online banking traffic in real time. Cydelity’s Web site outlines the six levels covered by its multi-factor advanced analytics and behavior modeling security solution.
Key differentiators from other well-known vendors as described by Cydelity during our briefing:
The last thing Cydelity wanted me to know was that its first step in any engagement is performing a risk assessment.
Founded: 2004 (the iovation technology has been running in production environments since 2002)
Headquarters: Portland, OR
Clients: First Financial Equities, Citadel Commerce, Navaho Networks, UltimateBet.com, Bodog.com, FullTilt.com, AbsolutePoker.com
Iovation’s mantra is, “Reputation is everything.” When iovation speaks of reputation, it is usually referring to the reputation of a device. Iovation pioneered a device recognition and reputation technology called Device Reputation Intelligence (DRI), which it explained consists of two core elements:
I prefer to see things in pictures, so iovation gave me permission to reprint the following:
In Gonzo speak, iovation builds and tracks reputations for individual devices then stores those reputations in a giant repository. I guess iovation to devices is kind of like Santa Claus – who knows if you’ve been good or bad. Iovation’s list may not be as large as Santa’s; at the moment the company states it is tracking more than 2 million devices connected to the Internet and processing well over 100 million device recognition and reputations annually.
The 41st Parameter
Founded: March 2004
Headquarters: Scottsdale, AZ
Clients: American Express, Neiman Marcus, 2Checkout.com, Digital River, Abebooks
41st Parameter describes its solution as covert and near real-time, offering the following market solutions:
The company’s ImageMask solution is the first I have seen that addresses online check fraud. To see how this product works, click here.
During our conversation, 41st Parameter highlighted the following attributes of its market solutions:
PhishingNet provides account login and activity monitoring for banks.
FraudNet authenticates purchases for merchants.
The company summarized its approach with the following:
GonzoBankers, there are numerous security solutions that will allegedly meet the FFIEC compliance guidelines, but just meeting the guidelines will not make the issue of security and electronic banking threats disappear. The problem will continue to grow, that I can promise. In highlighting the aforementioned vendors, I wanted to point out that some solutions can quickly assist you in changing the lock on the front door of your Internet bank. Others go well beyond just being locksmiths.
In the immortal words of Dylan Thomas: “Do not go gentle into that good night.”
Read parts 1 and 3 of this series:
Security, Compliance, and the Costs….Oh My!
“Stupid Is As Stupid Does” — Security, Compliance and the Costs… Oh My! The Last Chapter