The Fraud Blog with Tracy Kitten

FFIEC Draft Guidance: Where's Mobile?

Mobile Security Guidelines Not a Part of Current Update
FFIEC Draft Guidance: Where's Mobile?

After months of speculation, the banking industry finally got a peek at what it might see in the way of new online security guidance from the Federal Financial Institutions Examination Council.

We started hearing about this new guidance last summer, when word spread that the FFIEC was looking to update its 2005 guidance on authentication.

This update further took shape in January, when we got a nudge from -- among others -- Gartner Analyst Avivah Litan, who left an FFIEC subcommittee meeting with great expectations for soon-to-be-issued guidance that would provide more clarity for bankers and protection for commercial businesses. Simply, Litan said, "The message I got is that new guidance will be coming soon."

Now, the moment we've all been waiting for is nearly here in the form of a draft, and I wonder how triumphant the FFIEC has been.

I've read through the drafted guidelines the FFIEC prepared in December -- a preliminary peek the council put together for its member agencies to review. This draft has circulated widely among industry practitioners, vendors and analysts, and copies recently ended up on our desks, too.

I understand feedback from regulatory agencies is likely being taken into consideration as I type, so the guidelines that actually make the final cut could differ dramatically from what we've reviewed. Stay tuned. We haven't seen the final guidance yet.

That said, based on what I've seen, I have to note I am disappointed to see no mention of mobile banking anywhere in the FFIEC's draft.

As more banking transactions shift to the mobile environment, the absence of any recommendations for mobile-based transaction authentication is a bit alarming.

I've talked to regulators in the past about mobile security mandates and compliance concerns related to emerging technologies. They've told me financial institutions should follow existing guidance set for traditional online transactions, saying the online and mobile channels don't differ so much. Both channels are used to conduct "online" transactions, they say, and thus should follow the same guidance.

I disagree.

The channel through which an online account is accessed or an online banking transaction is initiated does make a difference. The security is not the same. Authenticating browser-based transactions conducted via a mobile device, which itself cannot truly be verified, is a whole new challenge for banking institutions.

Mobile security is a problem, namely because we don't know enough about it. Last October, Jason Rouse, director of the mobile and wireless practice for Cigital, told me the fluid nature of mobile browsing habits makes authentication impossible. "It's an unfortunate side-effect of the way that a lot of wireless networks are structured," Rouse explained. "As I connect and disconnect from the network, as I turn my phone on and off or as I just roam to other carriers, it is actually very difficult to maintain a single IP address. As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client."

"It is going to take a long-term investment in both research and implementation to get the mobile device or the mobile platform to the place where you, as a bank, would want it to be," Rouse said. "Your best friend is analytics. Keeping track of what is happening in your systems -- anti-fraud, anti-money laundering and even just transaction-risk measures -- can be your best option as you deploy mobile devices or mobile applications to mobile platforms."

Yet, this draft of the industry's most anticipated guidance doesn't even broach the mobile issue.

I don't want to be overly critical. I understand this is a huge undertaking, and from what I can tell, the regulators have taken time to understand emerging online risks and get input from a number of industry sources. I just have to point out that this draft guidance does the industry a great disservice by completely overlooking the unique challenges posed by mobile.

As new institutions dive into mobile banking, security leaders are begging for some new guidance. Where is it?

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.