--- begin forwarded text Delivered-To: clips@philodox.com Date: Thu, 20 Oct 2005 00:39:49 -0400 To: Philodox Clips List <clips@philodox.com> From: "R.A. Hettinga" <rah@shipwright.com> Subject: [Clips] FDIC: FIL-103-2005: Authentication in an Internet Banking Environment Reply-To: rah@philodox.com Sender: clips-bounces@philodox.com <http://www.fdic.gov/news/news/financial/2005/fil10305.html> ? Home > News & Events > Financial Institution Letters Financial Institution Letters FFIEC Guidance Authentication in an Internet Banking Environment FIL-103-2005 October 12, 2005 Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. Highlights: * Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services. * Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services. * The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. * Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers. * Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information. Distribution: FDIC-Supervised Banks (Commercial and Savings) Suggested Routing: Chief Executive Officer Chief Information Security Officer Related Topics: * FIL-66-2005, Guidance on Mitigating Risks From Spyware, issued July 22, 2005 * FIL-64-2005, Guidance on How Financial Institutions Can Protect Against Pharming Attacks, issued July 18, 2005 * FIL-27-2004, Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud, issued March 12, 2004 * FFIEC Information Security Handbook, issued November 2003 * Interagency Informational Brochure on Phishing Scams, contained in FIL-113-2004, issued September 13, 2004 * Putting an End to Account- Hijacking Identity Theft, FDIC Study, issued December 14, 2004 * FDIC Identity Theft Study Supplement on Account-Highjacking Identity Theft, issued June 17, 2005 Attachment: FFIEC Guidance: Authentication in an Internet Banking Environment - PDF 163k (PDF Help) Contact: Senior Policy Analyst Jeffrey Kopchik at JKopchik@fdic.gov or (202) 898-3872, or Senior Technology Specialist Robert D. Lee at RoLee@fdic.gov or (202) 898-3688 Printable Format: FIL-103-2005 - PDF 41k (PDF Help) Note: FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/news/financial/2005/index.html. To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html. Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or 202-416-6940). Last Updated 10/12/2005 communications@fdic.gov Home Contact Us Search Help SiteMap Forms Freedom of Information Act Website Policies FirstGov.gov -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips@philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'