SOURCE: ThreatMetrix


March 24, 2011 06:00 ET

ThreatMetrix on FFIEC New Authentication Guidance: Banks Must Move Quickly to Adopt Smart Device Identification Technologies

In Response to the Recently Released Draft of the FFIEC's New Online Authentication Guidance, ThreatMetrix Outlines the Case for Smarter Device Identification Technologies

LOS ALTOS, CA--(Marketwire - March 24, 2011) - ThreatMetrix™, the fastest-growing provider of cloud-based fraud prevention solutions that do not require personally identifiable information (PII), has outlined its positioning on why banks will need to adopt smart device identification technologies to meet the new guidelines outlined by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC authentication guidance was recently initiated to meet today's growing online security challenges.

In 2001 the FFIEC's "Authentication in an Internet Banking Environment" ushered in a new era of online banking security protections, and with it a wave of technology upgrades and company acquisitions as banks and their vendors scrambled to meet compliance. As a result, basic forms of device identification technologies were implemented to meet multi-factor and risk-based customer authentication requirements.

"Today, while cybercriminals, Trojans, and botnets have radically evolved, many online bank accounts are still only protected by little more than a cookie and a simple hash of browser and IP attributes," said Reed Taussig, president and CEO, ThreatMetrix. "Banks need smarter device identification to meet new FFIEC requirements for more rigorous forms of customer and transaction authentication."

What can a bank do to minimize risks during customer and transaction authentication?

The first step towards reducing unnecessary risks and fraudulent activity is to understand the critical limitations of existing simple device identification methods. Some of the glaring weaknesses include:

  • The reliance of existing technologies on cookies or cookie equivalents.
    • Cookies and Flash cookies are easy to delete and compromise, while private browsing modes included in most popular browsers makes it easier for fraudsters to hide.
  • The reliance on very limited data to fingerprint a customer's device.
    • Simple device fingerprinting technologies only gather information about the browser and clock which are easy to spoof and subvert and ignore important security information.
  • The reliance on overly simplistic analysis.
    • Simple hashing techniques miss fraud and cause false positives and simple IP proxy lists are ineffective against man-in-the-middle (MITM) attack detection.
  • The lack of real-time device identification. 
    • Simple device identification does not provide support for compromised device detection at the time of transaction.

The next step is to realize that smart device identification can now detect very sophisticated fraudulent activity through:

  • Cookieless device identification
  • MITM detection technologies
  • Compromised device and script detection
  • Global device recognition and behavior tracking
  • Context aware risk based assessment across customer and transaction authentication processes

Given significant benefits associated with the evolution of device identification, ThreatMetrix recommends that banks and financial institutions move quickly to adopt smart device identification technologies. 

Upgrade current customer device identification
While customer device identification remains the most cost effective first perimeter of defense for customer and transaction authentication, banks need to adopt smart device identification technologies in light of widespread identity and password theft, botnets and Trojans, and the proliferation of the number and types of devices connected to the Internet. New device identification solutions provide these benefits while allowing banks to safe-guard customer privacy, trust and convenience. 

For more information, download the full ThreatMetrix whitepaper: "Is Your Device ID Ready for the FFIEC? Smart Device Identification for Online Banking."

About ThreatMetrix
ThreatMetrix helps companies stop web fraud and accelerate e-commerce in real-time so they can significantly reduce online fraud, acquire more customers faster, reduce costs, and increase customer satisfaction. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID cookieless device identification technology, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticaticating user logins in real-time. Online businesses can deploy the ThreatMetrix Cloud-based Fraud Prevention Platform, which does not rely on personally identifiable information (PII), for traditional online activity via a personal computer as well as for mobile and tablet devices. The company serves a rapidly growing customer base around the world across a variety of industries including social networks (dating, gaming), financial services, e-commerce, affiliate marketing and payments. For more information, visit or call 1-650-625-1451.

© 2011 ThreatMetrix. All rights reserved. ThreatMetrix, ThreatMetrix SmartID, ThreatMetrix ExactID, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Contact Information