In the wake of the Epsilon security breach and other recent attacks exposing personal data held by high-profile banks, federal authorities have beefed up the authentication measures financial firms are supposed to take to do business online. The changes are aimed at promoting more productive risk assessments, but experts don't agree on how effective they will be, reports George V. Hulme at CSO magazine.

The body behind the authentication guidance (.pdf), the Federal Financial Institutions Examination Council, highlighted the value of making customers aware of online threats as well as the importance of conducting risk assessments. The council did not offer any particulars on what kinds of technologies or techniques financial institutions should use, however.

The council's wording in the guidance is open to interpretation, said Jacob Jegher, senior analyst at the consulting firm Celent. "I must say that this document doesn't say much that most banks don't already know," he said. "It's a great read for someone who is new to the space that wants to get a high-level overview of some of the challenges banks are facing."

Gartner analyst Avivah Litan agreed that the "document is very wishy-washy in its wording, with words like 'could' and 'suggested' used way too often." However, it does discuss infrastructure changes that banks should bear in mind, and it notes the importance of monitoring and controlling privileged access, which are positive updates, Litan said.

"The guidance came out and clearly stated that every form of authentication can be defeated. I think banks need to hear this, and the previous version of the guidance was way too focused on authentication techniques," she said.

For more:
- read the FFIEC statement (.pdf)
- see George V. Hulme's article at CSO

Related Articles:
Corporate data fraud outpacing physical fraud
RSA warns of possible risk to customers of SecurID following cyber attack