Home page logo

basics logo Security Basics mailing list archives

Re: Bankers on FFIEC
From: "William M. Davis" <WDavis () Gawab Com>
Date: Thu, 15 Mar 2007 06:57:27 -0700


The FFIEC guidance is just that it is guidance.  It also does not require
multi-factor authentication; it does require that banks do a risk assessment
and adequately protect their systems.  I agree that what most are doing is
not really multi-factor.  However, additional questions can increase the
level of security and help justify the continued use of single factor
authentication until better, cheaper, easier methods are developed.

William M. Davis, CISSP, CISA
WDavis () SecPro US

----- Original Message ----- From: "Ken Kousky" <kkousky () ip3inc com>
To: <security-basics () securityfocus com>
Sent: Wednesday, March 14, 2007 5:42 PM
Subject: Bankers on FFIEC

The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the three
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.

Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]