Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Published byJames Woods Modified over 7 years ago

Similar presentations

Presentation on theme: "Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA."— Presentation transcript:

1 Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program
Catherine Yao Information Systems Officer NCUA

2 Consumer Authentication in
e-Banking

3 Outline Purpose Background Risk Assessment and Management
Risk-based assessment Customer Awareness Conclusion

4 Purpose The need for additional security measures to reliably authenticate consumer remotely accessing their financial institution’s Internet banking system. Updates and supplements the 2001 Guidance entitled Authentication in an Electronic Banking Environment.

5 Authentication in an Electronic Banking Environment

6 Background Security Acts Identity Theft
Gramm-Leach-Bliley Act (GLBA) Title V requirement. The Fair and Accurate Credit Reporting Act of 2003 (FACTA) Identity Theft One of the fastest growing types of consumer fraud Account takeover was identified as the fastest growing type of identify theft. Account takeover represents a fundamental compromise of the security protecting consumers’ primary asset account maintained at insured depository institutions.

7 What is identity theft? Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities.

8 Hacker’s Tools Phishing Spyware Malware Site Spoofing Trojan Horse
Social Engineering

9 Identity Theft Statistics
According to FTC, During 2003, 10 million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion According to Gartner 2004, 2 million U.S. adult Internet users experienced account takeover during the 12 months ending April 2004.

10 Continued - The Anti-Phishing Working Group noted a significant increase in phishing activity over the past six months. There were 12,845 new unique phishing messages reported to the APWG in January 2005 alone.

11 FICUs e-Banking Services Increase (Growth since 2000)
More than half (58%) of FICUs have a website. This has Increase d by 39.5%. Home banking via websites have grown significantly by 78.2%. Number of interactive and transactional websites have grown by 93.4%. Electronic loan payment has increased by 121%. Share draft ordering has grown by 83.2%. Number of members using the transactional worldwide website has increased by 230% (to 18.3 Million) In 2004, among credit unions, the number of transactional websites grew by 10%, to 3,673, while the number of members using transactional sites grew 21% (to 18.3 million).

12 Continued - According to NAFCU, 48% FICUs responded that their Credit unions incurred an increased level of identity theft last year relative to 2003. With the fast growth of e-banking service among FICUs and as scam artists become more sophisticated, identity theft has become major risk for those FICUs offering e-banking services.

13 Continued - In a 2005 study, 14 percent of online consumers reported that they would stop using online banking due to concerns about Phishing.

14 Risk-based Security Program
Program should be Enterprise-wide Perform a risk assessment Consideration of “controls to authenticate” those seeking access to customer information Take risk-based and “layered” approach As the risk to sensitive customer information increases, the compensating controls contained within the institution’s security program must also increase

15 Enterprise-wide Authentication
Adherence to corporate standards and architecture Integration within overall information security framework Within lines of business Central authority for oversight and risk monitoring 1.

16 Risk Assessment Type of the customer
Institution’s transactional capabilities Sensitivity and value of the stored information Ease of using the method Size and volume of transactions

17 Security Measures Risks can be measured by the likelihood of harm and the impact of an occurrence. With respect to Internet transaction processing, three primary risks exist: risk of monetary losses potential loss of future business, and, risk of compromising confidential customer information.

18 Continued - Implementation of security measures Risk matrix
illustrate the type and likelihood of risk on one hand and corresponding risk mitigation techniques on the other.

19 Risk Matrix – illustration only

20 Three factors of Authentication methodologies
Something the user knows (password) Something the user possesses (Smart card) Something the user is (biometric characteristic, such as fingerprint or retinal pattern)

21 Authentication Tools Password PINs Digital certification using a PKI
Physical devices Smart card Tokens Database comparison Biometric identifiers

22 Conclusion To comply with GLBA, FACTA. conduct a risk assessment to identify the types and level of risks associated with e-banking application ID and password as the only control mechanism is no longer adequate for controlling remote access to sensitive info. Multi-factor authentication or other layered security is recommended to mitigate those risks.

23 Part 748 – Appendix B Response program

24 Part 748 – Appendix B Response Program

25 Background Section 501(b) GLBA Part 748 – Appendix A
Increasing Number of Security Breaches Revise Part 748 and Add Appendix B – Response Program

26 Response Program Take preventative measures to safeguard member information Place access control Conduct employee background check Implement a risk-based response program Appropriate to the size and complexity of CU Appropriate to the nature and scope of the activities Service provider Address incidents Notification of the CU

27 Components of Response Program
Assessment Notification of Primary Regulator Notification of Law enforcement Authorities Proactive Measures to Contain /Control Incident Monitoring, freezing, or close affected accounts Member Notification

28 Content of Member Notice
Description The incident in general terms Type of member info was the subject of unauthorized access or use What CU has done to protect the member’s info Telephone number for further assistance Member should remain vigilant over the next months Promptly report incidents of suspected ID theft to the CU

29 Continued - Review Account Statements and Report Suspicious Activity To The CU Notify Credit Bureaus - Consumer Report Obtain Credit Reports – Credit Report Agency Get Federal Trade Commission Assistance

30 Changes from Proposal Standard for notice to member
More risk based; less prescriptive Notice to regulator – only if breach involves sensitive member information

31 Continued - Notice to regulators – delay to coordinate with law enforcement authorities Flagging, monitoring, securing accounts – left to credit union’s assessment of risk Content of notice – likewise risk based Fraud alerts – less prescriptive – discuss with member but not mandatory

32 NCUA Expectations for Compliance
Potential Questionnaire: Incorporated into Overall Security Program Escalation Process / Incident Response Review of Notices – Attorney Review? Enterprise Wide Approach Reporting to Senior Management Member Outreach / Awareness Programs Employee Training Programs

33 Part 748 – Appendix B Response Program

34 Question & Answer

Download ppt "Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA."

Similar presentations

FFIEC Agency Supplement to Authentication in an Internet Banking Environment http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.

FFIEC Agency Supplement to Authentication in an Internet Banking Environment
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
1 ID Management in Financial Services – May 2005 Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA.

1 ID Management in Financial Services – May 2005 Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Similar presentations

Ads by Google