Fall 2006-02 Federal Deposit Insurance Corporation
Federal Deposit Insurance Corporation
Authentication in an Internet banking environment
The Federal Deposit Insurance Corporation issued its Financial Institution Letter FIL-77-2006 that clarifies a number of points on what the federal agencies that supervise financial institutions expect in connection with authentication of Internet banking transactions.
By the end of the current year financial institutions are expected to have completed a risk assessment of its authentication procedures.
Also by the end of 2006 they are expected to have implemented such risk mitigation measures as may prove necessary from the result of the assessment.
A financial institution may rely on an external provider (e.g., an outside entity that provides Internet banking services to the institution) to perform the risk assessment. However, the financial institution remains ultimately responsible for managing the risk. As such, it should perform adequate due diligence in selecting the service provider.
The risk assessment exercise should specifically consider the risks of “phishing,” “pharming” and “malware,” as well as reputation risk, harm to the customer and transaction risk.
|According to the Wikipedia online encyclopedia:
“Phishing” is attempting to acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.
“Pharming” is a hacker’s attack aiming to redirect a website’s traffic to another (bogus) website.
“Malware” is software designed to infiltrate or damage a computer system without the owner’s informed consent.
The financial institution remains ultimately responsible for the adequate authentication of transactions that involve access to customer information or movement of funds. Again, if it employs an external provider, it must ensure that the authentication techniques chosen by the provider are appropriate for the services offered by the institution.
© 2006 Goldman Antonetti & Cordóva, LLC