This first question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline.
Question: What does “layered security” actually mean?
“Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.
Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble:
1. Layer One- Account log-in. Security = valid ID and Password must be provided
2. Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously.
3. Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication
Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate. A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified.
Look for part two of our five-part series tomorrow.