Unlocking the Secrets of “Layered Security”

 Author: Kevin Moland, kmoland@profitstars.com

Thanks to the FFIEC, the words “layered” and “security” have been permanently welded together. The phrase appears sixteen times (seventeen, if you allow the variation, “a layered approach to security”) in last June’s Supplement to Authentication in an Internet Banking Environment. Since then, the happy adjective and noun have been spotted side-by-side in gazillions of blog posts, white papers, and online security ads; they are part of the same family, like Donnie and Marie; paired for all time, like Snookie and “The Situation.”

On page four of the aforementioned guidance, the FFIEC defines layered security as being “characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” In many of the side streets that feed into the online financial services marketplace, this sentence is being interpreted simply—but incorrectly—as, “Financial institutions need more security.” Those who condense the guidance this way do so at their own peril.

To be fair, the guidance does require “the use of different controls,” which will result in FIs deploying more security measures, but the FFIEC specifically requires that those controls be placed “at different points in the transaction process.” Replacing current fraud prevention tools with new ones (e.g., removing tokens and replacing them with out-of-band phone authentication) may or may not improve a particular checkpoint, but it won’t add new security layers and it won’t meet the goals set forth by the FFIEC. Adding more of the same kind of security (e.g., adding out-of-band authentication in addition to tokens) won’t add a new layer either, it will just make the existing layer fatter. Adding more cheese to your cheeseburger doesn’t make it a different kind of sandwich, it just makes it cheesier.

In addition to deploying fraud prevention tools at different points in the transaction process, the FFIEC further directs that these controls be implemented in a way that ensures “a weakness in one control is generally compensated for by the strength of a different control.” In other words, what the FFIEC really wants is intelligently layered security, where each layer is designed to prevent attacks engineered to defeat other layers.

So how can an FI add new layers intelligently? In the guidance, the FFIEC discusses a plethora of security measures, but it talks very little about the “transaction process” or how to arrange security measures within it. To meet the requirements of the guidance, financial institutions will need to construct an enterprise-wide diagram detailing the flow of their electronic transactions. This flow chart should serve as the foundation for their risk assessment.

The diagram can be built around these online system activities:

• User Login
• Transaction Submission
• FI Review and Processing
• System Administration

Financial institutions should first identify the security measures they deploy today and determine how they are spread across the activities above. They must then evaluate how known threats will fare against those measures. In a perfect world, any attack that defeats a measure in one part of the process will be thwarted by measures in other parts. In the real world, FIs will likely find scenarios where existing defenses are inadequate to prevent certain types of fraud.

Take, for example, fraudsters’ increasing ability to manipulate legitimate online sessions. In this type of attack, malicious entities observe system traffic unnoticed until after a user has logged in to the system. Once the user establishes a valid session, the fraudster, via embedded browser “add-ins” (Man-in-the-Browser) or by setting himself up as a proxy service (Man-in-the-Middle), assumes control of the session and submits fraudulent transactions. This type of attack takes place after user login, circumventing the strong authentication tools most FIs added in response to the FFIEC’s original 2005 guidance. Adding more user authentication measures during login won’t prevent this kind of fraud. What will help is establishing new controls in the transaction submission phase, such as dual control, velocity limits, or additional out-of-band approval for transactions sent to accounts not previously targeted by that business. Anomaly detection tools deployed in the reviewing and processing phase will further protect against these types of attacks, as will customer-installed, FI-endorsed security modules designed to police the user’s PC.

Using this type of approach, financial institutions must examine how each threat fares against their security measures during each phase of the transaction process. FIs that do this will be able to identify “holes” in their current prevention plans. Once an FI understands where its security measures fall short, it can take action to strengthen weak areas.

In summary, “layered security” isn’t just about adding more stuff. It’s about adding the right stuff in the right places. FIs that intelligently arrange their layered security measures will have nothing to fear from examiners and, more importantly, their customers will have less to fear from fraudsters.