mailing list archives
Re: Bankers on FFIEC
From: "William M. Davis" <WDavis () Gawab Com>
Date: Thu, 15 Mar 2007 06:57:27 -0700
The FFIEC guidance is just that it is guidance. It also does not require
multi-factor authentication; it does require that banks do a risk assessment
and adequately protect their systems. I agree that what most are doing is
not really multi-factor. However, additional questions can increase the
level of security and help justify the continued use of single factor
authentication until better, cheaper, easier methods are developed.
William M. Davis, CISSP, CISA
WDavis () SecPro US
----- Original Message -----
From: "Ken Kousky" <kkousky () ip3inc com>
To: <security-basics () securityfocus com>
Sent: Wednesday, March 14, 2007 5:42 PM
Subject: Bankers on FFIEC
The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.
Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?