As I write this (2/2011), we are expecting updated guidance from the FFIEC any day on on-line authentication and security. It is way overdue, as the last release was way back in 2005. It is supposed to address the changes in the security landscape since then, and hopefully it will even raise the bar a bit, but I’m afraid that it won’t do enough to dispel the 5 biggest myths regarding on-line security:
- “My software vendor provides all the security I need.”
- “My multi-factor hardware tokens provide all the security I need.”
- “If I follow FFIEC guidelines, my measures will be considered ‘commercially reasonable'”.
- “Multi-factor authentication is adequate”.
- “The customer assumes partial responsibility for security (at least contractually)”.
- “Unless Reg E is extended to commercial accounts, my financial liability is limited”.
I’m going to address why all these are false in future posts, but for now make sure your risk assessment doesn’t rely on any of them.