Once considered unique to each individual, artificial intelligence has shown the human voice to be convincingly cloneable. In banking, this means that voice-based biometric passwords are no longer the fail-proof layer of unhackable authentication bank users hoped they would be. These new frontiers in Internet banking challenges make up the Wild West of the authentication industry.
Luckily, the Federal Financial Institution Examination Council (FFIEC) acts as a kind of sheriff, providing guidance for industry best practices. The FFIEC addresses some of the most long-standing security threats known when it comes to verifying the identity of a new or established user. The latest guidance on “Authentication and Access to Financial Institution Services and Systems” arrived in 2021, supplanting previous advice. In this document, the council “describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the online products and services.”
What is FFIEC’s authentication in an Internet banking environment?
You expect to present identification when you open a bank account. To use a bank account online, you must log in to a website or bank application. Each login attempt includes an authentication or process of proving your previously verified identity. But it’s not just consumers with a bank account who should be authenticated. Consumer-permitted third parties (such as budgeting software that accesses bank data) and employees should also be authenticated to increase the safety of bank and user data and funds.
More than just a login issue, FFIEC authentication in an Internet banking environment refers also to proper management of emails used in banking, IT help desks, and call centers used by consumers.
Recommendations for financial institutions include threat identification through detailed risk assessments to analyze the threat landscape, among other areas of guidance.
Why Authentication in Internet Banking Matters
Think back to the Equifax data leak of 2017. The leak exposed personal information like names, dates of birth, addresses, and Social Security numbers. With that type of personal information exposure for millions of users in one hack alone, the ability of thieves to impersonate victims for financial crimes increases. These types of leaks and hacks are not uncommon. Consider the hack of information from users of 23andme. As cybercrimes proliferate and personal data is made available, layers of authentication become crucial for business operations. In banking, it can be a final stop before fraudsters access a user account or bank’s organizational network.
Luckily, compliance with authentication standards set out by the FFIEC can support compliance with consumer financial protection laws.
How Authentication Works in Internet Banking Environments
Each unique institution is granted the leeway to apply its own standards in authentication. That’s because each unique institution has its own risk profile and uniquely intricate technological and operational practices. However, the FFIEC recommends the use of multi-factor authentication (MFA), which is defined as the use of something a user knows, something a user has, and something a user is. The use of memorized secrets, secrets that can be looked up, out-of-band devices, one-time passwords, biometrics, and cryptographic keys are allowed.
Additionally, the guidance from the council recommends regular evaluation of all known security threat points. Notwithstanding the rise of social engineering or the use of manipulation and deceit to obtain personal identifying information from victims, continued vigilance against the use of simple passwords and single-password-only logins can help retail and commercial financial bank operations remain safe.
Trends and Updates in Internet Banking Authentication
As described by the FFIEC, old information systems can create uniquely fruitful opportunities for security attacks. In these systems, security patches may not be up to date for various reasons. But it’s not just long-serving and out-of-date systems that create challenges for security. Trends and updates in Internet banking authentication most often center on relatively recent developments like the increased use of third parties and application programming interfaces (APIs).
Increasingly, even artificial intelligence presents the opportunity for fraud in surprisingly sophisticated ways. We discussed the possibility of cloning a voice to use over the phone as an ID in our introduction. This thwarts voice biometrics, but AI has also shown that it can take a single image of a person and animate it, potentially throwing a wrench in plans banks have to authenticate users by way of a photo ID coupled with a live selfie. This prospect looms large in the risk environment already rife with synthetic identity fraud. Creative solutions remain to be seen but are surely on the horizon.
BankersHub offers certifications for supervisors, managers, and top-performing staff to help them move up the ladder as leaders in banking. Our eBanking Professional Certification dives deep into topics like “FFIEC Guidance on Authentication in Internet Banking” and fraud. Our eBanking Specialist certification delves into topics such as “Understanding the Identity Theft Red Flags Rule” and “Mobile Security Threats” to enhance your mastery of these topics.
