Re-Evaluate Authentication Systems

Cyber crime remains a continuous threat.

September 1, 2011

This summer the Federal Financial Institutions Examination Council (FFIEC) agencies issued a supplement to their 2005 guidance (“Authentication in an Internet Banking Environment”). The FFIEC consists of NCUA and the federal banking agencies.

NCUA expects federally insured credit unions to adapt appropriate strategies and controls (or safeguards) outlined in this supplemental guidance to strengthen their authentication systems by January 2012. 

Authentication is the process of verifying a member’s identity using methodologies and technologies before the member gains access to an online banking website. It’s a way to ensure members are who they say they are before accessing their personal financial information. 

Why the new guidance? Times have changed. The authentication methods recommended six years ago have become less effective against the more sophisticated approaches fraudsters use.

So it’s time for credit unions to take a look at their member authentication systems to see what changes need to be made in light of these evolving threats.

The 2005 guidance moved institutions away from single-factor authentication (e.g., user name and password only), to multifactor authentication (e.g., user name with password and PIN, or password and challenge question), layered security, and other controls. The 2011 guidance takes this further, highlighting key precautions institutions should take if they offer electronic services.

Examiner expectations

Beginning in 2012, NCUAexaminers will evaluate these controls at credit unions offering electronic services:

1. Risk assessments. Credit unions should review and update their existing risk assessments as new information becomes available, before implementing new electronic financial services, or at least every 12 months. Updated risk assessments should consider, but not be limited to, the following factors:

  • Changes in the internal and external threat environment;
  • Changes in the member base adopting electronic banking;
  • Changes in the member functionality offered through electronic banking; and
  • Actual incidents of security breaches, identity theft, or fraud experienced by the credit union or financial services industry.

2. Member authentication for “high-risk” transactions. “High-risk transactions” are electronic transactions involving access to member information or the movement of funds to other parties (e.g., automated clearinghouse [ACH], wire transfer). Not every online transaction poses the same level of risk. So, credit unions should implement more robust controls as the risk level of the transaction increases. For example, business accounts may impose a higher level of risk than consumer accounts because of the higher dollar amount and frequency of transactions. It’s why FFIEC agencies recommend layered security and multifactor authentication for business accounts.

3. Layered security programs. Layered security means the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. The guidance directs credit unions to implement a layered approach to security for high-risk Internet-based systems. Effective controls that may be included in a layered security program include, but aren’t limited to:

  • Fraud detection and monitoring systems that consider member history and behavior and enable a timely and effective institution response;
  • Dual member authorization through different access devices;
  • Out-of-band verification for transactions;
  • “Positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account;
  • Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactionsallowed per day, and allowable payment windows (e.g., days and times);
  • Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
  • Policies and practices for addressing member devices identified as potentially compromised and members who may be facilitating fraud;
  • Enhanced control over changes to account maintenance activities performed by members either online or through member service channels; and
  • Enhanced member education to increase awareness of the fraud risk and effective techniques members can use to mitigate the risk.

Layered security programs also must detect and respond to suspicious activity related to initial log-in and authentication of members requesting access to the credit union’s online banking system; and initiation of electronic transactions involving the transfer of funds to other parties (e.g., via ACH or wire transfer). The agencies noted that transaction monitoring often could have prevented numerous fraudulent transactions from occurring.

For online access to business accounts, layered security should include enhanced controls for system administrators who are granted privileges to set up or change system configurations. According to the agencies, enhanced control over administrative access and functions can effectively reduce money transfer fraud.

Next: Authentication techniques


Authentication techniques

Credit unions also should re-evaluate authentication techniques to determine if they’re still effective in today’s environment. For example, many institutions have implemented simple device identification. This typically uses a “cookie” loaded on the member’s PC to make sure it’s the same PC the member enrolled and its log-in ID and password match.

Apparently, this type of cookie can be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate member. So credit unions should no longer consider simple device identification as a primary control to be an effective risk mitigation technique. Instead, consider using a more sophisticated form of this technique that uses “one-time” cookies and creates a more complex digital “fingerprint” by looking at a number of characteristics including PC configuration, IP address, geo-location, and other factors. 

Many institutions use challenge questions (e.g., mother’s maiden name, year of college graduation, etc.) as a backup to the primary log-in authentication technique. The provision of correct responses to challenge questions
can also be used to
re-authenticate the member or verify a specific transaction subsequent to the initial log-in. But challenge questions can often be easily answered by an impostor who knows the member or has used an Internet search engine or social networking site to get information about the member. 

Again, don’t consider basic challenge questions as a primary control to be an effective risk mitigation technique. Instead, use “out of wallet” questions that don’t rely on information that’s often publicly available and are much more difficult for an impostor to answer correctly. The agencies believe the use of more sophisticated questions can be an effective component of a layered security program.

Lastly, don’t forget to educate members so they’re aware of the steps you’re taking to protect both them and the institution from cyber crime.

VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at


  • CUNA’s e-Guide to Federal Laws and Regulations:; select “regulations & compliance.”
  • NCUA,
  1. Letter to Credit Unions 11-CU-09: “Online Member Authentication Guidance” (July 2011)
  2. Letter to Credit Unions 05-CU-18: “Guidance on Authentication in Internet Banking Environment” (Nov. 2005).