Layering on security: banking regulators are expected to push for stronger forms of authentication as electronic transaction fraud proliferates.
Whoever hacked into RSA's system extracted information related to its SecurID two-factor authentication product, which generates such token codes.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Art Coviello, executive chairman of RSA, a division of EMC, said in a March 17 letter to customers.
Electronic transaction fraud is becoming pervasive. A recent survey of 533 businesses by the Ponemon Institute and Guardian Analytics found 75% had experienced online fraud or had accounts taken over by so-called malware. That suggests existing controls are insufficient, says Terry Austin, CEO of Guardian, which provides predictive anti-fraud software. Austin says the RSA breach is "another indicator."
An FDIC spokesman says the FFIEC guidance should be released soon. An unofficial draft that circulated late last year calls for banks to adopt layered security controls, which improve on multi-factor authentication by adding security measures.
RSA's SecurID token represents the base, multi-factor credential layer. Requiring users to supply a shared secret and confirming transactions through alternate channels, such as a text message to a mobile phone, are two more. Monitoring for transactions outside a business' normal pattern is another potential layer.
Shortly after the news of the RSA hack, IDC Financial Insights issued security recommendations to customers that emphasized the importance of using layers. With respect to the FFIEC. IDC analyst Michael Versace says, "I hope they reinforce the importance of prior guidance and the use of multiple security layers in all financial systems, including those categorized as high risk."
banking regulators are expected to push for stronger forms of authentication as electronic transaction fraud proliferates.
|Printer friendly Cite/link Email Feedback|
|Publication:||Treasury & Risk|
|Date:||May 1, 2011|
|Previous Article:||Transfer-pricing crackdown: tax authorities worldwide are ramping up enforcement efforts related to the pricing of intra-company transactions.|
|Next Article:||Work equality advances: as LGBT workers and consumers gain more clout, companies seek to improve their policies and benefits.|