New FFIEC Guidance Will Benefit SMBs

New rules that call for banks to implement anomaly detection will help catch man in the browser types of attacks and fraud, experts say

The Federal Financial Institutions Examination Councils (FFIEC) newly tightened regulations that will compel financial institutions to install better means of online banking fraud detection could greatly aid small businesses, which have been a particular target of cybercriminals of late. The regulations come by way of the FFIECs release of the first updated version of the Authentication in an Internet Banking Environment guidance since it was created in 2005.
A lot has changed in the online risk landscape since then, and security experts have long been clamoring for an update from the FFIEC, maintaining that the outdated guidance from the regulator was putting bank customers at risk.
Clearly the time was right for the FFIEC to put something out to provide more specific and enhanced guidance to face todays threats, both in terms of what the criminals are doing, how theyre attacking the end users, and in the amount of money that has been siphoned out itself, says Tiffany Riley, vice president of marketing for Guardian Analytics, a fraud detection software firm.
The old guidance focused mainly on getting banks to offer two-factor authentication for greater security, but failed to require other layers of security, such as anomaly detection to prevent fraud or encourage general risk management practices within the online banking environment. As a result, many banks have been able to use the regulation as a legal shield, installing little more than skimpy two-factor authentication technology and, when that is circumvented and a business customer is stolen from, claiming in court that they had followed due diligence through FFIEC compliance.
In particular, small businesses have suffered greatly from the regulations shortcoming and their banks subsequent legal arguments. Banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts, and small businesses dont have the same kind of pull with their financial institutions to demand better security as do large organizations. They also dont have as much budget for in-house security.
The agreements that small businesses have with the banks is that essentially as long as the bank uses commercially reasonable security, which is pretty much defined as what other banks are doing, the small business is held liable. Ive estimated that over the last couple of years, SMBs have lost a quarter of a billion dollars to bank fraud, says George Tubin, senior research director for TowerGroup and a participant in the process to help revise the guidance. Typically, the client doesnt recover anything when they settle out of court with their bank for a fraction of their losses, and very few actually make it into an actual hearing.
Such was the case
recently with PATCO Construction
, which in 2009 saw $500,000 sluiced from its Oceans Bank commercial account after a malware attack made away with its authentication credentials. A judge recently threw the case out against Oceans without it ever going to trial.
Effective Jan. 1, 2012,
the new FFIEC guidance
(PDF) will require banks to use anomaly detection software and risk management best practices.
The key piece is anomaly detection. The problem is that the technologies we have in place are good against most types of fraud, but they dont do very well against what we call man in the browser types of fraud, which could get by the authentication thats typically put in place, Tubin says. The anomaly detection is sort of that second layer of defense, so if a criminal does get in, lets try to identify that that happened and lets look at what transactions theyre doing and what behaviors theyre exhibiting, and hopefully we can see that theres potential fraud happening.
The guidance also specifically calls out greater protection for business banking customers, which were not mentioned before -- a fact that had many banks assuming the regulation was solely consumer-focused.
I think if the banks will adopt this, and not just to check the box, but adopt this with the truest sense of using risk management to secure the existing authentication, all customers would benefit, not just small business, says Ori Eisen, founder and CIO of 41st Parameter, a fraud detection software company.
In spite of the looming deadline, SMBs probably shouldnt expect all banks to be on board by the turn of the year. According to Tubin, regulators will require banks to have deployment plans in place by the deadline, not necessarily full installations. In the meantime, he believes SMBs should probably better scrutinize where they put their money by asking for greater risk mitigating measures.
Trying to find the banks that do more than the bare minimum is key. There are things that the small business can do, as well, as far as account restrictions that the bank may offer, sort of limiting the amount of money that can flow in and out, or limiting the amount of privileges of each of the users that are getting into the accounts, he says. Maybe use things like reverse-positive pay or alerts so if a transaction does happen or a transaction comes in, they can see that right away and determine whether or not they want to allow it to go through. So if the bank offers some of these types of capabilities, I think its something they should absolutely look into.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New FFIEC Guidance Will Benefit SMBs