Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bankers on FFIEC

From: "William M. Davis" <WDavis () Gawab Com>
Date: Thu, 15 Mar 2007 06:57:27 -0700
Ken,

The FFIEC guidance is just that it is guidance.  It also does not require
multi-factor authentication; it does require that banks do a risk assessment
and adequately protect their systems.  I agree that what most are doing is
not really multi-factor.  However, additional questions can increase the
level of security and help justify the continued use of single factor
authentication until better, cheaper, easier methods are developed.

William M. Davis, CISSP, CISA
WDavis () SecPro US
----- Original Message ----- From: "Ken Kousky" <kkousky () ip3inc com> 
To: <security-basics () securityfocus com>
Sent: Wednesday, March 14, 2007 5:42 PM
Subject: Bankers on FFIEC



The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the three 
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.

Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?

KWK
Previous By Date Next
Previous By Thread Next

Current thread: