Recent Posts

Recent Blog Posts

The PhishLabs Blog

Did FFIEC guidelines curb account takeover? Survey says…

Posted by Lindsey Havens on Sep 9, '15

In a recent study conducted by Info Security Media Group (ISMG), respondents indicated that, despite efforts to comply with updated authentication guidance set forth by the Federal Financial Institutions Examination Council (FFIEC), account takeover (ATO) has not decreased. In fact, 71 percent of respondents said that account takeover incidents either stayed the same or increased over the past year.

ISMG_Survey_ATO_Question

Respondents feel confident in defenses

Although ATO incidents have remained the same or increased, respondents reported higher confidence in their defenses today than four years ago. 

ISMG_Survey_Defenses_Question

Conflicting messages

There are some fundamental factors at play that continue to drive ATO. The cybercrime economy has been booming for years now - there’s just too much money at stake for cybercriminals. Couple that with the need to make banking easy and accessible and the conditions are in place for exactly what we’ve seen – institutions continue to implement new controls and soon after, cybercriminals figure out a way past them. Simply put, if account holders can get into their accounts, so can the bad guys.

What do survey results tell us about FFIEC guidelines?

Conformance to the guidelines are necessary, but not sufficient. Stronger authentication measures were needed at the time of issuance and are absolutely needed today. However, as you tend to see with compliance requirements across the board, it sets a minimum baseline and just being compliant isn’t really enough. That said, when the guidance was being drafted and published a lot of people were expecting that those additional measures would put a real dent in the level of account takeover and that just hasn’t been the case.

JAL_ISMG_Interview

In this interview with Bank Info Security, PhishLabs CEO, John LaCour discusses why the FFIEC recommended security controls have fallen short, resulting in increases in fraud losses and ATO. LaCour points out that most investments have been in tools that catch attacks after credentials have been compromised. He notes that underinvestment has been in detection controls and tools that prevent account takeover upfront.

We’ll be further exploring survey results regarding defenses currently in place as well as future investments to protect against ATO in subsequent blog posts. Subscribe to our blog to stay tuned or download the full report

Topics: Fraud, ATO, Account Takeover

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all