Financial institutions are required to regularly assess the authentication controls, security layers, and monitoring of Internet Banking to prepare for current threats and comply with FFIEC guidance.
Since most institutions utilize an outside vendor to provide an Internet Banking solution and since all these vendors utilize multifactor authentication as well as other controls, many institutions never dig very deep when performing these assessments. Surprises can occur later on when an incident makes it clear that the vendor did not have as many controls in place as originally thought. To ensure that you clearly understand all risks when assessing outsourced Internet Banking, we recommend these questions be asked:
- What multifactor authentication methods are used to ensure logins are coming from our customers?
- Is the multifactor authentication method vulnerable to spoofing attacks where criminals redirect a cell phone number to their own device to receive a text message meant for our customer?
- If the multifactor authentication method utilizes device identification and/or geolocation, what controls are in place to keep an attacker from impersonating the device by copying cookies and/or using a proxy server to make it appear the system is in the same location?
- Is the same level of multifactor authentication required for logins through mobile applications?
- Is the same level multifactor authentication required for logins through aggregator APIs (Quicken, Mint, etc.)?
- What monitoring and alerting is being performed to stop fraudulent logins and/or fraudulent transactions through the Internet Banking or Mobile Banking sites?
- When a fraudulent login is detected, what actions does the vendor take?
- What tools are available to us to research suspicious login attempts?
- What actions are available to us in the event that we find a customer login was fraudulent?
By asking the questions above, you will have a much better understanding of the true capabilities of your Internet Banking vendor and any risks which may exist. If you need assistance performing a risk assessment of your Internet banking vendor, please do not hesitate to contact us at support@bedelsecurity.com!
Additional Resources:
Managing the Relationship Between Information Technology and Information Security
https://www.bedelsecurity.com/blog/managing-the-relationship-between-information-technology-and-information-security
A Message to Vendors
https://www.bedelsecurity.com/blog/a-message-to-vendors
Independent Collaboration Part 2: A Framework for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-2-a-framework-for-outsourcing-it-in-financial-institutions
Independent Collaboration Part 1: A Concept for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-1-a-concept-for-outsourcing-it-in-financial-institutions
Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers