The federal agency responsible for enforcing security guidelines at financial institutions has issued new rules for protection against the recent rise in cybercrime.
The Federal Financial Institutions Examination Council (FFIEC) had updated its guidance from 2005 to reflect the new security measures necessary to fend off increasingly sophisticated hacker groups.
The supplement to old rules by the council, comprised of several agencies, is a response to the wave of major security breaches on companies, government agencies, and financial institutions.
“The Agencies are concerned that customer authentication methods and controls implemented in conformance with the Guidance several years ago have become less effective,” the FFIEC stated in its new guidance.
Recently, a data breach at Citi compromised over 360,000 customer credit card accounts and resulted in a loss of $2.7 million, which was looted by hackers. The realization that security at major financial institutions – holding customer funds and private information – can be cracked is cause for revising prevention methods.
“Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security,” said the FFIEC.
Financial institutions are instructed to utilize improved security protocols involving fraud monitoring and detection; performing period risk assessments; the use of dual customer authorization through different access devices; and the use of techniques to limit transactional use of an account.
Finally, the FFIEC places emphasis on customer awareness and education so customers understand what to do in the event of suspicious activity and so they do not leave their accounts vulnerable to malicious software and outside intruders.
But, there are no specific directions by the FFIEC that financial institutions must follow. They are simply guidelines that dictates how security measures are supposed to operate, without mentions of the precise tools required.