Patrick Colm Audley

Alex Howard

Hello, and welcome to the Tech Buzzwords from Webopedia.com, the online IT encyclopedia and learning center. I'm Alex Howard, assistant editor at Webopedia.com. We invite you to visit Webopedia.com, the secret of those who always seem to know it all, and sign up for the Word of the Day newsletter; learn one new thing every day.

This week, the buzzword is FFIEC compliance. To learn more about this new topic, which is affecting the online security and banking industry, I recorded an interview with Patrick Audley, the CTO of Cognito, who helped me explore cognitive biometrics and pass thoughts in an earlier podcast.

On the phone today, I've got Patrick Audley, the CTO of Cognito. We're going to talk a little bit about FFIEC compliance. Compliance is on many security admins' minds as it should be. As I understand it, in late 2005, the Federal Financial Institutions Examination Council, heretofore referred to as the FFIEC, which comprises the United States' five federal banking regulators, published joint guidance entitled "Authentication in an Internet Banking Environment," which recommended that financial institutions deploy security measures to reliably authenticate their online banking customers. And in the publication, they made it clear that they consider single-factor authentication as the only control mechanism inadequate. And strongly recommended that all financial institutions undertake a comprehensive assessment of the risks associated with their online banking services. Um, the five regulators involved stated that financial institutions are expected to achieve this compliance by the end of 2006, which of course is only a few short weeks away. So Patrick, can you explain what exactly FFIEC compliance is?

Patrick Audley

In a nutshell, it's an industry-led attempt by the banking industry; although it comes out of federal regulators, it has been driven by the industry itself, by the insurance firms that insure the industry, and by the regulators and auditors in the industry. And it's really an attempt to modernize a lot of the existing banking practices. They really haven't been looked at in an online context for years. And of course, the online threats have changed greatly since the last time these rules were updated. So we feel this is really overdue in the industry. Unfortunately, the deadline they gave is very, very short.

Alex Howard

So if you haven't looked at it yet, what steps does an organization have to take to become FFIEC compliant?

Patrick Audley

Well, there's actually quite a few of them. The guidelines are very broad. Most people tend to focus on the authentication requirements because other areas of their banks will be addressing the risk compliance and the other areas like that. But authentication particularly is probably the hardest part of the guidance that was published. And it's hard because it involves changing the way that actual people use their online bank.

Alex Howard

Well, I can say that my online bank, which is a cooperative bank in the Boston area here, did actually change their online authentication options. I literally had to, instead of having one screen to go to and enter a username and password, I go to one screen, enter a username, and then go to the next one where I enter the password. Very simple change, but they spent quite a bit of time familiarizing all the users with it and reminding us of it, and then actually shifting us over in November. And I imagine all the other banks need to be going through the same process. But as I understand it, there's actually different kinds of schemes that are under discussion as being at issue. And to go back to an earlier point, single-factor authentication is inadequate. Can you tell me a bit more about the difference between single-factor authentication and two-part or multiple-factor authentication schemes?

Patrick Audley

Sure. The guidance was really interesting in that it did state, instead of saying username and password wasn't good enough, it stated very specifically that any single factor isn't good enough. Now that also means that a bank can't say, "We're going to use your fingerprint as the only form of identity," either. No single factor is good enough under the guidance. So that means that when you log in, you have to be providing one type of authentication and then a completely separate type. Now when we say type of authentication, this means if it's something that you would normally remember, that's one type of information. If it's something that you have in your pocket, like a token, or in Germany they use little flip pads of numbers, those are something that you have; that's another type. So all of those represent different factors of authentication. If I just ask you for two passwords, that's not enough under the guidance because that's only one factor no matter how many times I ask you for it.

Alex Howard

Well, I know that in certain Asian countries, notably Korea and some parts of Japan, it's increasingly possible to use a cell phone or other smartphone PDA device to authenticate yourself in a point-of-sale transaction. Similar to, say, carrying the chip from your credit card, if your credit card has a chip, or even the bar in such a way that it makes it usable for vending machines, for retail purchase, for food, whatever else. Is that kind of authentication something that's even in the discussion yet in terms of this kind of compliance, or are we still just talking about browser-based transactions?

Patrick Audley

Well, in a lot of ways we're still talking about browser-based transactions, but those technologies actually apply very, very well to that arena as well. There's quite a few new entrants into the authentication industry in the last year or two that are actually attempting to bring that same level of cell phone authentication to normal online banking. The system that they have is very, very simple. You enter in a username and password to the bank, and the bank sends you an SMS text message on your phone with a code in it, and you punch in that code. Now that's two-factor because it's something you know, which is your password, and something you have, which is your phone. So, you know, if someone were to just steal your password or just steal your phone, they really wouldn't get anywhere.

Alex Howard

Now, and that actually goes to other portions of the compliance issues as I understand it. Beyond the authentication issue, setting up authentication options, going through the process, establishing safe words or secret words, whatever else, to be able to go back if you have forgotten things. I understand there's a need for verification of new customers, which you just referred to, and then monitoring and reporting. What kinds of steps do organizations need to do to effectively monitor and report, which I think speaks to what you just talked about?

Patrick Audley

Wow, that's a hard one. You know, I'd like to say that the industry as a whole has a good answer for that. Part of the reason that the guidance was so vague was because no one really knows what good monitoring looks like in this case. And the only real metric that we have for whether we as an industry are doing a good job is whether fraud rates are going up or down. Now for the last several years, they've been going up. So that tells you at least that we're not doing a good job now. Where people are going to go with it... oh, that's kind of tricky. A lot of the current solutions out there are focusing on expert system-based software where they look at a huge database of rules. Things like if the user has done this in this context and then they did this, then they're probably fraudulent. Those large rule bases are quite fragile, and we think that over the next year or two the industry is going to trend towards more either neural net or pattern recognition-based systems. Surprisingly, a lot of the really interesting research in this particular field is coming out of spam analysis. Because they face a lot of the similar problems in that industry. And there's a lot more motivated people with less regulation in the way, so you see the technology evolving very quickly in that arena. But we think that a lot of those techniques, self-learning techniques, are going to apply a lot more to fraud because there's a problem with looking at a rule base of fraud rules is that invariably people come up with new ways of exploiting the system, and you're only ever looking at preventing attacks that have already occurred in the past from occurring again. Versus a machine learning system, which is often able to identify novel attacks.

Alex Howard

Interesting.

Patrick Audley

So we think you're going to see a lot more reporting that's based around dynamic learning. How is it going to change the industry? The industry as a whole is moving towards real-time reporting as opposed to historical reporting. So you're starting to see that gap between when someone looks at a transaction to see maybe this is fraudulent or not, closing quite a bit. Actually, the biggest leader in that industry has been Visa, because the gap between Visa transactions for when they notice fraud and when they actually deny the transaction has been getting smaller and smaller every year. And they're one of the few players in the financial industry that's been very, very successful at mitigating their fraud.

Alex Howard

Sure. Well, I've heard anecdote after anecdote of card protection services calling users when there's an unusual purchase that doesn't meet their normal trends or patterns.

Patrick Audley

Yes.

Alex Howard

And that goes right to the real-time risk analysis. Well, odds are if you're listening to us talk about FFIEC compliance right now, the deadline has passed by. What kinds of, well let's put it out there, penalties are there if you're not compliant?

Patrick Audley

Well, it is just guidance. So we, from the banks that we've talked to—I don't want to go into too many specifics with specific banks, but I can tell you the general feel that we've been getting from everybody from small credit unions to some of the largest banks in the world has been that it is just guidance...

NOTE: Transcript ends here - silence in original mp3 published on TechTarget verified with source, present in all archives.