Conduct risk assessments for access and authentication to digital banking and information systems.
Identify all users and customers who require authentication and access controls, and assess whether they need enhanced controls such as multi-factor authentication.
Implement layered security to protect against unauthorized access.
Monitor, log and report activities to identify and track unauthorized access.
Verify the identity of users and customers.
“Data breaches at financial institutions … have exposed information and credentials of customers and employees,” according to the guidance. “Attackers use technologies, such as automated password cracking tools, and these compromised credentials in their attacks against financial institutions … These types of attacks demonstrate that certain authentication controls, previously shown effective, no longer provide sufficient defense against evolving and increasingly sophisticated methods of attack.
“In particular, malicious activity resulting in compromise of customer and user accounts and information system security has shown that single-factor authentication, either alone or in combination with layered security, is inadequate in many situations.”
The report arrives at a time when financial fraud cases are on the rise: Three-fourths of financial professionals reveal that their organization was the target of payment scams in 2020, and nine of ten say these incidents have either grown in frequency or have remained consistent compared to the number of schemes in 2019. (Only one in ten professionals say attacks are on the decline.)
In addition, Verizon’s 2021 Data Breach Investigations Report indicates that the financial industry accounted for 467 of an estimated 5,260 breaches analyzed in the report, which is #4 overall among all sectors. These organizations also suffered the second-highest average cost of a data breach at $5.72 million (behind only the healthcare industry), which is nearly $1.5 million higher than the global average for all sectors, according to the 2021 Cost of a Data Breach Report from the Ponemon Institute and IBM Security.
As part of a response to the developments, the FFIEC recommends the multi-factor authentication of users, including the deployment of behavioral biometrics software which analyzes the “characteristics of a customer, such as the customer’s interaction with a mobile phone or other access device, in order to authenticate the customer,” according to the guidance. “Behavioral biometric analysis can include data such as the customer’s finger swipes, taps, keystrokes and mouse usage.”
The FFIEC also reports that the detection of anomalies in user/customer behavior can alert management to unauthorized access in attempts to commit fraud.
At BehavioSec, we’re seeing first-hand how our behavioral biometrics solutions empower banking/financial institution customers to effectively respond to both authentication and fraud challenges:
Our tools enable them to achieve multifactor authentication that is both accurate and friction-free. Their security teams now unobtrusively authenticate users by analyzing how they physically interact with devices. As the FFIEC noted, they do this through profiles which store how individual customers hold smartphones in their hands, type on keyboards, move their cursors, use touchscreens, etc. People interact with their devices in distinct ways – and criminals can’t impersonate these signatures.
As indicated, the entire authentication process is friction-free. It never asks customers to answer biographical questions such as “What was the name of your elementary school?” or “What is your favorite movie?” (Questions that cyber criminals scour social media or breached data bases for, in seeking answers posted by targeted victims.) Nor do users have to solve tedious CAPTCHA or other challenges. In fact, they do not need to do anything additional to gain secure access to accounts or transactions. From a user perspective, behavioral biometrics-enabled multifactor authentication is completely “invisible.”
The FFIEC guidance is nothing new to us. We’ve been working on innovations in behavioral biometrics for years to block financial fraud attempts as they happen, and provide continuous and friction-free user authentication. We understand our customer’s challenges because we immerse ourselves in their world, and develop/improve our solutions based upon the needs and pain points they share with us. If you’d like to know more about how we can help you, then please contact us.