Dec. 15, 2011 – Periodic risk assessments addressing the online threat environment are a major focus of the Federal Financial Institutions Examination Council’s latest guidance for authentication of those accessing accounts online, NAFCU webcast participants learned Wednesday.
The webcast, which featured computer security expert Randy Romes of LarsonAllen LLP, provided credit unions with an in-depth look at FFIEC guidance issued June 27. The guidance takes effect Jan. 1.
Romes discussed some of the risks tied to online accounts. Phishing and malware attacks, for example, are one way criminals obtain members' usernames and passwords, which can then be used to conduct wire transfers from members' accounts. To help combat this and other current online scams, the guidance says credit unions should conduct risk assessments each time there is a change in vendor or procedure related to their online systems. “It’s an ongoing process,” Romes said. He added the guidance also stresses the importance of using multiple factors and layering security methods for authenticating access to online systems.
Simple challenge questions are no longer acceptable as the only authentication method because it is too easy to get member information from websites such as Facebook or LinkedIn.com, he said.
Romes also highlighted the importance of educating credit union members about current online threats and encouraging business account holders to periodically check their end of the payments system for vulnerabilities.
Wednesday’s webcast will be available on demand for six months. Romes will discuss the FFIEC guidance in greater detail at NAFCU’s 2012 Technology and Security Conference set for Feb. 14-16 in Las Vegas. Early registration discounts for the conference end Jan. 6. Credit unions can also look forward to the January/February 2012 issue of The Federal Credit Union magazine for an article on the topic.