Zerify Inc (ZRFY): I agree. FFIEC FOR ALL SFOR LONGS...

Reply Private New

Replies (4) Next 10 Prev Next

Send PM Follow Ignore

Followers	31
Posts	1459
Boards Moderated	0
Alias Born	09/08/2012

Gold49er

Re: WBCTrader post# 158754

Thursday, 04/27/2017 6:39:15 PM

Thursday, April 27, 2017 6:39:15 PM

I agree. FFIEC FOR ALL SFOR LONGS

First like any regulatory body of the U.S. Government the FFEIC are far behind in the Publication of their Documents. Their current Guidance is just a 2013. Almost the same S*** as Their 2011 Guidance and was basicly the size of a letter. Which is what now 6 years behind ? Or 12 years behind from their Orginal Guidance of 2005 !

Surprise Surprise! How long have mobile devices been out and used in Banking Transactions?
In 2016 they put out Mobile Security Guidance Also, Ref: Near the bottom. It also States OBB and Biometrics.

Nothing has really happened in 3, 6 or 12 years right... Besides Massive Data breaches of Banks, Corperations and Government Agencies. LOL

Just the Data Breach of Epsilon around 2011 that houses the Email Addresses of 2,500 Hundred different Companies should be enough to make even the FFEIC to take Notice, yet oh a letter sized update in 2011 to their 2005 Guidance should surfice right !

You would think something as Important as Banking Regulations would at the very least have Regulators putting out Guidance on an Annual or Semi-Annual Basis. What is the Budget for this agency, and the others?

Board of Governors of the Federal Reserve System (FRB)
Federal Deposit Insurance Corporation (FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency (OCC)
Consumer Financial Protection Bureau (CFPB)

The FFIEC estimates it's Budget would be $15M for 2015.

Back to, I agree:

Of course the FFIEC does not "get in bed with Vendors"

But when the FFIEC uses the Term Out-of-Band MFA, and what in essance are they saying ?

Let's use just mention StrikeForce's Patents for just a Second.

Not only do the Patents cover OOB MFA, but also cover most forms of Biometrics for Authentication over the Network and let's keep that in mind as we look at what the FFIEC Guidance states that is highlighted is RED below.

Yes I agree with you WBCT, there are many forms of Layered Approches.

Effective controls that may be included in a layered securiy program include, but are not limited to:

fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;

the use of dual customer authorization through different access devict

the use of out-of-band verification for transactions;

the use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account;

But we are talking here about MFA as it pertains to StrikeForce's Patents. That being OOB MFA.

What are the FFIEC Most Common Factors Required?

Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out–of–band”5 controls for risk mitigation.

Gee, I can't imagine where I've seen those 3 Bullets 1000 times before....

Appendices FFEIC same Guidlines
Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:

• Something a person knows—commonly a password or PIN. If the user types in the correct password or PIN, access is granted.

• Something a person has—most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed, which the user must enter to be authenticated.

• Something a person is—most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of authentication is referred to as “biometrics” and often requires the installation of specific hardware on the system to be accessed.

Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Single-factor authentication involves the use of one factor to verify customer identity. The most common single-factor method is the use of a password. Two-factor authentication is most widely used with ATMs. To withdraw money from an ATM, the customer must present both an ATM card (something the person has) and a password or PIN (something the person knows).

Multifactor authentication utilizes two or more factors to verify customer identity. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed

The Agencies are aware of the fact that a number of institutions are requiring the “out of band” authentication or verification of certain high value and/or anomalous transactions. Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks. However, out-of-band authentication directed to or input through the same device that initiates the transaction may not be effective since that device may have been compromised. For business customers, the out-of-band authentication or verification can be provided by someone other than the person who first initiated the transaction and can be combined with other administrative controls. Additionally, the use of out-of-band authentication or verification, for administrative changes to online business accounts, can be an effective control to reduce fraudulent funds transfers.

And finally in the Appendix the FFEIC states.
Out-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years.

Let's hear from an internal Auditor of 6.5 years at mid-sized Commercial Banking institutions, ehh

Slide show from an auditor.
https://www.google.com/url?sa=t&source=web&rct=j&url=https://chapters.theiia.org/western-new-york/ChapterDocuments/FFIEC%2520Authentication%2520Guidance.pptx&ved=0ahUKEwibxIPyjsXTAhVM8CYKHT-yAJIQFghRMAY&usg=AFQjCNGCKVdH3GKRSMgysH7NLFXWBstY0w&sig2=PEqozgZBq_8xWkyLclejQg

In conclusion we also have PCI stating OOB MFA must be used in the Credit Card Payment Processing too.

And just because no Standards Organizations or Regulatory Body is NOT using the word StrikeForce to Remain Impartial the use the Term Out-of-Band MFA.

And OBB MFA (like it or not) is synonymous with Strikeforce Technologies.

Even if I were concede for the Moment the Microsoft Settlement were just a "payoff" and that the OOB MFA within its AZURE touches People in 128 different Countries.

And I have to wait any Amount if Time for it to be Fully Veted in the 7 current Lawsuits that StrikeForce has won Settlements or a Jury Trial with two of the Best Law Firms in the U.S. and the World Behind them. The ultimate reality is OBB MFA is synonymous with the name StrikeForce Technologies.

This is not some little used technology, this will be used in every Payment Procession Transaction, Consumer Banking Transaction, and Protecting Most Banks Internal Networks as well as most Corperations handling Consumer Privacy and more.

Unfortunately due to the many Industries imparitive need for Cyber Security and Microsoft Banging the Drum with AZURE, the Industry went to the only form of Authentication that has a chance of stopping the Hacking of Corperations Banks, etc. Without time for the battle for the leading Cyber Technologies and companies to battle it out in the IEEE and fight it out for the International Standard.

Instead that battle must take place in the Courtroom and in major Tech Giants using STI IP before the courts Cases are Complete.

As even though StrikeForce has been pounding the table for more than a Decade, The Threat was to Great, the Tech Industry was not prepared for the Hacking that was taking Place and moving at such and Exponential Speed, it thought it had Time. Well there's no time left now.

Which is why companies like INTEL and McAffee have been incorperating StrikeForce's Patented IP in to their Product Soultions, of which there is No Doubt.

You are free to say what you what say want , the fact remains Major Companies, The PCI, The ITU and even the FFIEC are saying OOB MFA is mandatory. And All Roads Lead to Rome, I'm mean RAM.

FFIEC Authentication in an Internet Banking Environment
https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.ffiec.gov/pdf/authentication_guidance.pdf&ved=0ahUKEwjczZG8g8XTAhVI6iYKHfzFBXsQFgg3MAA&usg=AFQjCNFO5OWN23a87WXm0ZCSzzrBwWDGNg&sig2=hjMRzhATdQxX3ADKSKAB4Q

FFIEC 2011 Supplement
https://www.ffiec.gov/press/pr062811.htm

FFIEC 2013
https://www.ffiec.gov/press/pr121113.htm

FFIEC 2016
FFIEC's New Mobile Security Guidance: An Assessment
Authentication and authorization. A financial institution should have a process for authenticating users of MFS to protect customers against fraudulent transactions or malicious activities. Depending on the technology used and associated level of risk, financial institutions may consider biometric (e.g., voice, fingerprint, facial recognition) or out-of- band 19 authentication processes. The financial institution should not use mobile payment applications that rely on less secure (e.g., single factor) methods of authentication.20

This post in in reply to WBCTraders' Post:

the FFIEC does not get in bed with vendors, so they don't require any specific form of MFA only MFA on "transactions" or "risk activities" that have elevated risk. You can read the guidance.

It can be in the form of "stronger security questions"
OOB authentication

Authentication from a 2nd authorized employee (in the case of business transactions innitiated online)

Software that monitors financial activity and presents MFA on unusual activity.

Bank or financial institution issued "secure usb tokens"

Text verification...

ETC.....