The Arcot Advisor - Did You Know |
||
Oh Brother, How Safe Art Thou?The FFIEC (Federal Financial Institutions Examination Council) guidance is a significant step by regulators to address ID theft and fraud and its online impact. It moves the industry in the right direction— authentication beyond usernames and passwords. But it doesn't solve the underlying identity theft problem; therefore, compliance doesn't translate into a carefree consumer environment. No direct protectionThe FFIEC offers no direct protection for the consumer, the primary victim of identity theft. Unlike earlier FDIC and FTC regulations (The Electronic Fund Transfer Act and the Fair Credit Billing Act) that capped the consumers' liability on stolen credit or debit cards, the FFIEC guidance doesn't. Consumers who fall for phishing schemes gain no legal protection against fraudulent transactions. Instead, the guidance merely directs the financial institutions to improve online portals. Measuring effectivenessThe FFIEC doesn't offer a means to measure the effectiveness of any identity theft solution a financial institution uses to comply with its guidance. The guidelines mandate no targets for reducing the number of attacks or the effectiveness of the solutions for stopping attacks. Without a measurement defining success, financial institutions have chosen solutions that mix improved site authentication, risk-based authentication and strong authentication. The goal of improved site authentication is to give a way for consumers to know whether they are at an official bank site, not a fraudulent one. Unfortunately, risk-based authentication or fraud detection only increases the probability that the person logging into the account is authentic. The bank evaluates each access to the consumer's online account to determine if it is out of the ordinary for that person. Was the log-in from a kiosk instead of a home computer; from a foreign location; at an unusual time or performed an unusual action? If the access is not typical, the bank performs additional checks, such as calling the individual's phone number, to confirm any online activity. Need for standard requirementsWithout a requirement to continuously measure and reduce fraud, more sophisticated attackers will counter existing solutions quickly. Upon implementing a solution, some banks are already finding that attacks are changing based on the authentication method they use. The FFIEC, FDIC and other agencies can help protect these users with regulations that limit user's liability and offer them a clear path to regain their stolen identities. We can cancel a stolen credit card, be we can't cancel a social security number, our mother's maiden name or a birth date. At present, this means it's still up to the individual to protect personal information as best as possible. To read the full version of "Oh Brother, How Safe Art Thou?", click here (PDF, 3.9 MB). To read the SC Magazine article, click here. |
||
|
(If your operating system does not support using a Print button,
|
||
|
||