The Federal Financial Institutions Examination Council recently issued a supplement to the Authentication in an Internet Banking Environment guidance, which was first issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Customers and financial institutions have experienced substantial losses from online account takeovers. Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts. Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls. Various complicated types of attack tools have been developed and automated into downloadable kits, increasing availability and permitting their use by less experienced fraudsters. Rootkit-based malware surreptitiously installed on a personal computer can monitor a customer’s activities and facilitate the theft and misuse of their login credentials. Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.