International Financial Reporting Standards
International Financial Reporting Standards (IFRS known by the acronym derived from the name in English International Financial Reporting Standards) is a set of accounting standards. Now they are issued by the International Accounting Standards Board (IASB). Many of the standards forming part of IFRS are known by its old name of International Accounting Standards (IAS).
IAS were issued between 1973 and 2001 by the International Accounting Standards Committee (IASC). In April 2001 the IASB adopted all IAS, then continuing their development. The new standards, however, bears the name of IFRS.
Although currently there are no longer issued IAS standards, existing ones are still in force until replaced or amended by issuing new IFRS standards.Content[Hide]
* Applicability of IFRS 1
a European Union 1.1
a 1.2 Convergence with U.S. GAAP
* IFRS 2 Structure
a list IFRS 2.1
* 3 Grades
[Edit] Applicability of IFRS
IFRS are used in many countries around the world including in the Member States of the European Union (EU), Hong Kong, Australia, Russia, South Africa, Singapore and Pakistan. Approximately 100 countries require or allow use of IFRS or convergence policy to them. [1]
For the situation to date, see the list of states that have adopted IFRS IAS Plus website.[Edit] European Union
All EU listed companies are currently required to prepare consolidated financial statements in accordance with IFRS.
To be approved for use in the EU, standards must be approved by the Accounting Regulatory Committee (ARC), composed of representatives of member governments and is advised by an expert group called the European Financial Reporting Advisory Group (EFRAG ).
Two sections of IAS 39 Financial Instruments: Recognition and evaluation have not been approved by the ARC and in this respect, applied IFRS in the EU are different from those issued by the IASB. Currently, the IASB cooperates with the EU to find an acceptable way to address this anomaly.
As IFRS are now part of European legislation, approved standards and all amendments thereto subsequently agreed to be published in the Official Journal of the European Union. On October 13, 2003, the first publication of the standards has been included in PB L 261. Amendments to IAS and IFRS standards published in the past can be monitored using the website of the European Union's Internal Market Directorate on implementation of IAS in the European Union.[Edit] Convergence with U.S. GAAP
In a meeting held in 2002 in Norwalk, Connecticut, the IASB and the Financial Accounting Standards Board in the United States of America (FASB) have agreed to harmonize their agendas and work together to reduce differences between IFRS and U.S. Generally Accepted Accounting Principles (U.S. GAAP). In February 2006, the FASB and IASB have signed a Memorandum of Understanding which contains a schedule of matters to which the two organizations intend to achieve convergence by 2008.
Securities and Exchanges Commission in the U.S. (SEC) currently requires all foreign companies listed on U.S. exchanges to prepare financial statements either in accordance with U.S. GAAP or in accordance with their local accounting standards, accompanied by a note to reconcile standards local U.S. GAAP. This requirement creates significant costs for listed companies while the U.S. and other countries. The SEC has proposed to amend this rule to eliminate the obligation to make a reconciliation to U.S. GAAP for foreign companies that prepare their financial statements in accordance with IFRS, in principle since 2009. [2] Companies based in the U.S. will still be required to report in accordance with U.S. GAAP.[Edit] Structure IFRS
IFRS are considered to be a set of standards "based on principles", as laid down general rules, but require specific accounting and certain treatments.
International Financial Reporting Standards include:
* International Financial Reporting Standards (IFRS) - standards issued after 2001
* International Accounting Standards (IAS) - standards issued before 2001
* Interpretations of the International Committee on Financial Reporting Interpretations Committee (IFRIC) - issued after 2001
* Interpretations of the Standing Interpretations Committee (SIC) - issued before 2001
There is also a General Framework for the Preparation and Presentation of Financial Statements, which describes some of the principles underlying IFRS.[Edit] List IFRS
The following standards are currently in force:
* IFRS 1 First-time Adoption of International Financial Reporting Standards
* IFRS 2 Share-based Payment
* IFRS 3 Business Combinations
* IFRS 4 Insurance Contracts
* IFRS 5 Non-current Assets Held for Sale and Discontinued Operations
* IFRS 6 Exploration for and Evaluation of Mineral Resources
* IFRS 7 Financial Instruments: Disclosures
* IFRS 8 Operating Segments
* IAS 1 Presentation of Financial Statements
* IAS 2: Inventories
* IAS 7: Cash flow statement
* IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors
* IAS 10 Events after the Reporting Period
* IAS 11: Construction Contracts
* IAS 12: Income Taxes
* IAS 16: Property, plant and equipment
* IAS 17: Leases
* IAS 18: Revenue
* IAS 19: Employee Benefits
* IAS 20: Accounting for Government Grants and Disclosure of Government Assistance
* IAS 21 The Effects of Changes in Foreign Exchange Rates
* IAS 23: Borrowing Costs
* IAS 24: Related Party Disclosures
* IAS 26: Accounting and Reporting by Retirement Benefit Plans
* IAS 27: Consolidated and Separate Financial Statements
* IAS 28: Investments in Associates
* IAS 29: Financial reporting in hyperinflationary economies
* IAS 31: Interests in Joint Ventures
* IAS 32: Financial Instruments: Presentation
* IAS 33: Earnings per share
* IAS 34: Interim Financial Reporting
* IAS 36 Impairment of Assets
* IAS 37: Provisions, Contingent Liabilities and Contingent Assets
* IAS 38: Intangible Assets
* IAS 39: Financial Instruments: Recognition and Measurement
* IAS 40 Investment Property
* IAS 41: Agriculture
duminică, 26 septembrie 2010
Trojans
| SubSeven | = One of the most famous Trojans. This program almost completely controls the victims computer. Among the additional facilities of an IP scanner and found a book where you can keep victims IPs.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Undetected | = undetected is a trojan that became known as the most comprehensive program of its kind available on a large scale.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Infector | = This Trojan provides access to multiple operations such as upload / download, show / hide image, desktop preview, shut down / log off / reboot / power off, open the browser, open / close cd rom, webcam and TV view card etc.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Bionet | = Bionet trojan is believed to be unique pioneering the convenience. It is far superior to other programs such as source code or writing from scratch is that there is no similarity with other programs. One of the most important features is the method of compressing files that can be downloaded from the victim's computer, thanks to higher compression algorithm that is up to 98% more effective.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Asylum | = Trojan Another useful due to its friendly interface.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Undetected | = undetected is a trojan that became known as the most comprehensive program of its kind available on a large scale.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Infector | = This Trojan provides access to multiple operations such as upload / download, show / hide image, desktop preview, shut down / log off / reboot / power off, open the browser, open / close cd rom, webcam and TV view card etc.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Bionet | = Bionet trojan is believed to be unique pioneering the convenience. It is far superior to other programs such as source code or writing from scratch is that there is no similarity with other programs. One of the most important features is the method of compressing files that can be downloaded from the victim's computer, thanks to higher compression algorithm that is up to 98% more effective.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Asylum | = Trojan Another useful due to its friendly interface.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
Protection
There is only one proven method that can be used against a virus, never start a program that was not already on your computer and never use someone else's CD. Unfortunately this practice is still so, these things go used are:
¤ Backups - made frequent backups of files on your hard drive. Remember that at one time you could lose the entire hard drive contents. Have you made backups of all your important files? Things like passwords and phone numbers from an electronic book are the most difficult to recover. So be prepared for the worst.
¤ Rescue Disk - many programs such as Norton Utilities and TBAV and will allow you to create a "rescue disk" which is actually a floppy disk that you can boot in an emergency. This disk will contain a copy of important system information such as partition table, Master Boot Table (MBR), CMOS settings, and other important information.
Also on this disk, you should store tools that can be used in identifying, cleaning and removing viruses from harddisk. This disk should be write-protected, and updated each time you change the system.
¤ Anti-Virus Software - There are many anti-virus programs available on the electronic market. Generally the best but there are shareware and some freeware. But be careful what software to use in fighting viruses as some are not very effective.
¤ Information - Try to get some information about how the virus works, find out what new ones have appeared and how you can defend them. Most computer users ignore information on how to drive a virus. Reading this article you've just made a big step in protecting your computer from virus attack.
¤ Backups - made frequent backups of files on your hard drive. Remember that at one time you could lose the entire hard drive contents. Have you made backups of all your important files? Things like passwords and phone numbers from an electronic book are the most difficult to recover. So be prepared for the worst.
¤ Rescue Disk - many programs such as Norton Utilities and TBAV and will allow you to create a "rescue disk" which is actually a floppy disk that you can boot in an emergency. This disk will contain a copy of important system information such as partition table, Master Boot Table (MBR), CMOS settings, and other important information.
Also on this disk, you should store tools that can be used in identifying, cleaning and removing viruses from harddisk. This disk should be write-protected, and updated each time you change the system.
¤ Anti-Virus Software - There are many anti-virus programs available on the electronic market. Generally the best but there are shareware and some freeware. But be careful what software to use in fighting viruses as some are not very effective.
¤ Information - Try to get some information about how the virus works, find out what new ones have appeared and how you can defend them. Most computer users ignore information on how to drive a virus. Reading this article you've just made a big step in protecting your computer from virus attack.
O OCC BULLETIN
Comptroller of the Currency
Administrator of National Banks
Subject:
Banking Environment
Authentication in an InternetDescription: Interagency GuidanceTO:
Technology Service Providers, Department and Division Heads, and All Examining
Personnel
The Federal Financial Institutions Examination Council (FFIEC) has issued the attached
guidance, “Authentication in an Internet Banking Environment.” This updated interagency
guidance, which replaces the FFIEC’s
Chief Executive Officers of All National Banks, Federal Branches and Agencies,Authentication in an Electronic Banking Environment,issued in 2001, specifically addresses the need for risk-based assessment, customer awareness,
and security measures to authenticate customers using a financial institution’s Internet-based
services.
This guidance applies to both retail and commercial customers and does not endorse any
particular technology. National banks should use this guidance when evaluating and
implementing authentication systems and practices whether they are provided internally or by a
technology service provider. Although this guidance is focused on the risks and risk
management techniques associated with the Internet delivery channel, the principles are
applicable to all forms of electronic banking activities.
Consistent with the
Security Booklet December 2002, financial institutions should periodically:
FFIEC Information Technology Examination Handbook, Information•
– Identifies and assesses the risks associated with Internet-based products and services;
– Identifies risk mitigation actions, including appropriate authentication strength; and
– Measures and evaluates customer awareness efforts;
Ensure that their information security program:•
technology, the sensitivity of their customer information, and internal or external threats to
information; and
Adjust, as appropriate, their information security program in light of any relevant changes in•
Examiners should begin to assess national banks’ progress in meeting the expectations outlined
in the guidance and, thereafter, monitor ongoing conformance as needed during the risk-based
supervisory process. Banks are expected to have achieved conformance with the guidance by
year-end 2006.
For questions concerning the guidance, contact Bank Information Technology at (202) 874-4740.
__________________________________________
Mark L. O’Dell
Deputy Comptroller for Operational Risk
Attachment: Authentication Guidance
[http://www.ffiec.gov/pdf/authentication_guidance.pdf]
FFIEC Press Release
[http://www.ffiec.gov/press/pr101205.htm]
Implement appropriate risk mitigation strategies.Date:
October 12, 2005 Page 2 of 2Federal Financial Institutions Examination Council
3501 Fairfax Drive
• Room 3086 • Arlington, VA 22226-3550 • (703) 516-5588 • FAX (703) 516-5487 • http://www.ffiec.govAuthentication in an Internet Banking Environment
Purpose
On August 8, 2001, the FFIEC agencies
an Electronic Banking Environment
management controls necessary to authenticate the identity of retail and commercial customers
accessing Internet-based financial services. Since 2001, there have been significant legal and
technological changes with respect to the protection of customer information;
incidents of fraud, including identity theft; and the introduction of improved authentication
technologies. This updated guidance replaces the 2001 Guidance and specifically addresses
why financial institutions regulated by the agencies should conduct risk-based assessments,
evaluate customer awareness programs, and develop security measures to reliably authenticate
customers remotely accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and does not endorse any
particular technology. Financial institutions should use this guidance when evaluating and
implementing authentication systems and practices whether they are provided internally or by
a service provider. Although this guidance is focused on the risks and risk management
techniques associated with the Internet delivery channel, the principles are applicable to all
forms of electronic banking activities.
1 (agencies) issued guidance entitled Authentication in(2001 Guidance). The 2001 Guidance focused on risk2 increasingSummary of Key Points
The agencies consider single-factor authentication, as the only control mechanism, to be
inadequate for high-risk transactions involving access to customer information or the
movement of funds to other parties. Financial institutions offering Internet-based products and
services to their customers should use effective methods to authenticate the identity of
customers using those products and services. The authentication techniques employed by the
financial institution should be appropriate to the risks associated with those products and
services. Account fraud and identity theft are frequently the result of single-factor (e.g.,
ID/password) authentication exploitation. Where risk assessments indicate that the use of
1
Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit2
Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B
(OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part
570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).
Customer information means any record containing nonpublic personal information as defined in the2
single-factor authentication is inadequate, financial institutions should implement multifactor
authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Consistent with the
Security Booklet, December 2002, financial institutions should periodically:
FFIEC Information Technology Examination Handbook, Information•
– Identifies and assesses the risks associated with Internet-based products and services,
– Identifies risk mitigation actions, including appropriate authentication strength, and
– Measures and evaluates customer awareness efforts;
Ensure that their information security program:•
in technology, the sensitivity of its customer information, and internal or external threats
to information; and
Adjust, as appropriate, their information security program in light of any relevant changes•
Implement appropriate risk mitigation strategies.Background
Financial institutions engaging in any form of Internet banking should have effective and
reliable methods to authenticate customers. An effective authentication system is necessary for
compliance with requirements to safeguard customer information,
laundering and terrorist financing,
legal enforceability of their electronic agreements and transactions. The risks of doing business
with unauthorized or incorrectly identified persons in an Internet banking environment can
result in financial loss and reputation damage through fraud, disclosure of customer
information, corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial institutions can use to
authenticate customers. These methods include the use of customer passwords, personal
identification numbers (PINs), digital certificates using a public key infrastructure (PKI),
physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types
of “tokens”, transaction profile scripts, biometric identification, and others. (The appendix to
this guidance contains a more detailed discussion of authentication techniques.) The level of
risk protection afforded by each of these techniques varies. The selection and use of
authentication technologies and methods should depend upon the results of the financial
institution’s risk assessment process.
3 to prevent money4 to reduce fraud, to inhibit identity theft, and to promote the3
Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of
persons who obtain or have obtained a financial product or service to be used primarily for personal, family or
household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a
similar rule.
The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the4
associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12
CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12
CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured
branch, an agency, or a representative office of a foreign financial institution operating in the United States
(FRB); and 12 CFR Part 748.2 (NCUA).
The regulations implementing section 326 of the USA PATRIOT Act, 31 USC § 5318(l), require banks, savings3
Existing authentication methodologies involve three basic “factors”:
•
Something the user knows (e.g., password, PIN);•
Something the user has (e.g., ATM card, smart card); and•
Authentication methods that depend on more than one factor are more difficult to compromise
than single-factor methods. Accordingly, properly designed and implemented multifactor
authentication methods are more reliable and stronger fraud deterrents. For example, the use
of a logon ID/password is single-factor authentication (i.e., something the user knows);
whereas, an ATM transaction requires multifactor authentication: something the user possesses
(i.e., the card) combined with something the user knows (i.e., PIN). A multifactor
authentication methodology may also include “out–of–band”
The success of a particular authentication method depends on more than the technology. It
also depends on appropriate policies, procedures, and controls. An effective authentication
method should have customer acceptance, reliable performance, scalability to accommodate
growth, and interoperability with existing systems and future plans.
Something the user is (e.g., biometric characteristic, such as a fingerprint).5 controls for risk mitigation.Risk Assessment
The implementation of appropriate authentication methodologies should start with an
assessment of the risk posed by the institution’s Internet banking systems. The risk should be
evaluated in light of the type of customer (e.g., retail or commercial); the customer
transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of
customer information being communicated to both the institution and the customer; the ease of
using the communication method; and the volume of transactions. Prior agency guidance has
elaborated on this risk-based and “layered” approach to information security.
6An effective authentication program should be implemented to ensure that controls and
authentication tools are appropriate for all of the financial institution’s Internet-based products
and services. Authentication processes should be designed to maximize interoperability and
should be consistent with the financial institution’s overall strategy for Internet banking and
electronic commerce customer services. The level of authentication used by a financial
institution in a particular application should be appropriate to the level of risk in that
application.
A comprehensive approach to authentication requires development of, and adherence to, the
institution’s information security standards, integration of authentication processes within the
5
transaction. Callback (voice) verification, e-mail approval or notification, and cell–phone based challenge/
response processes are some examples.
Out–of–band generally refers to additional steps or actions taken beyond the technology boundaries of a typical6
Information Technology Examination Handbook,
FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002; FFIECE-Banking Booklet, August 2003.4
overall information security framework, risk assessments within lines of businesses supporting
selection of authentication tools, and central authority for oversight and risk monitoring. This
authentication process should be consistent with and support the financial institution’s overall
security and risk management programs.
The method of authentication used in a specific Internet application should be appropriate and
reasonable, from a business perspective, in light of the reasonably foreseeable risks in that
application. Because the standards for implementing a commercially reasonable system may
change over time as technology and other procedures develop, financial institutions and
technology service providers should develop an ongoing process to review authentication
technology and ensure appropriate changes are implemented.
The agencies consider single-factor authentication, as the only control mechanism, to be
inadequate for high-risk transactions involving access to customer information or the
movement of funds to other parties. Single-factor authentication tools, including passwords
and PINs, have been widely used for a variety of Internet banking and electronic commerce
activities, including account inquiry, bill payment, and account aggregation. However,
financial institutions should assess the adequacy of such authentication techniques in light of
new or changing risks such as phishing, pharming,
of compromise techniques. Where risk assessments indicate that the use of single-factor
authentication is inadequate, financial institutions should implement multifactor authentication,
layered security, or other controls reasonably calculated to mitigate those risks.
The risk assessment process should:
7 malware,8 and the evolving sophistication•
products and services;
Identify all transactions and levels of access associated with Internet-based customer•
employed for each transaction type and level of access; and
Identify and assess the risk mitigation techniques, including authentication methodologies,•
changing risk factors for each transaction type and level of access.
Include the ability to gauge the effectiveness of risk mitigation techniques for current andAccount Origination and Customer Verification
With the growth in electronic banking and commerce, financial institutions should use reliable
methods of originating new customer accounts online. Moreover, customer identity
verification during account origination is required by section 326 of the USA PATRIOT Act
and is important in reducing the risk of identity theft, fraudulent account applications, and
unenforceable account agreements or transactions. Potentially significant risks arise when a
financial institution accepts new customers through the Internet or other electronic channels
7
Web sites where their information is captured, usually from a legitimate–looking form.
Similar in nature to e-mail phishing, pharming seeks to obtain personal information by directing users to spoofed8
passwords, account numbers, and PINs.
Short for malicious software, such as software designed to capture and forward private information such as ID’s,5
because of the absence of the physical cues that financial institutions traditionally use to
identify persons.
One method to verify a customer’s identity is a physical presentation of a proof of identity
credential such as a driver's license. Similarly, to establish the validity of a business and the
authority of persons to perform transactions on its behalf, financial institutions typically review
articles of incorporation, business credit reports, board resolutions identifying officers and
authorized signers, and other business credentials. However, in an Internet banking
environment, reliance on these traditional forms of paper-based verification decreases
substantially. Accordingly, financial institutions need to use reliable alternative methods.
(The appendix to this guidance describes verification processes in more detail.)
Monitoring and Reporting
Monitoring systems can determine if unauthorized access to computer systems and customer
accounts has occurred. A sound authentication system should include audit features that can
assist in the detection of fraud, money laundering, compromised passwords, or other
unauthorized activities. The activation and maintenance of audit logs can help institutions to
identify unauthorized activities, detect intrusions, reconstruct events, and promote employee
and user accountability. In addition, financial institutions should report suspicious activities to
appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.
9Financial institutions should rely on multiple layers of control to prevent fraud and safeguard
customer information. Much of this control is not based directly upon authentication. For
example, a financial institution can analyze the activities of its customers to identify suspicious
patterns. Financial institutions also can rely on other control methods, such as establishing
transaction dollar limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security administrators when
users are no longer authorized to access a particular system and to permit the timely removal or
suspension of user account access. Furthermore, if critical systems or processes are outsourced
to third parties, management should ensure that the appropriate logging and monitoring
procedures are in place and that suspected unauthorized activities are communicated to the
institution in a timely manner. An independent party (e.g., internal or external auditor) should
review activity reports documenting the security administrators’ actions to provide the
necessary checks and balances for managing system security.
Customer Awareness
Financial institutions have made, and should continue to make, efforts to educate their
customers. Because customer awareness is a key defense against fraud and identity theft,
9
member banks]; 12 CFR 211.5 (k) [edge or agreement corporation, or any branch or subsidiary thereof]; 12 CFR
211.24 (f) [uninsured branch, an agency, or a representative office of a foreign financial institution operating in
the United States]; 12 CFR 225.4 (f) [bank holding company or any non bank subsidiary thereof] (FRB); and 12
CFR Part 748.1 and Part 748.2 (NCUA).
31 USC 5318; 12 CFR 21.11 (OCC); 12 CFR 563.180 (OTS); 12 CFR 353 (FDIC); 12 CFR 208.62 [state6
financial institutions should evaluate their consumer education efforts to determine if
additional steps are necessary. Management should implement a customer awareness program
and periodically evaluate its effectiveness. Methods to evaluate a program’s effectiveness
include tracking the number of customers who report fraudulent attempts to obtain their
authentication credentials (e.g., ID/password), the number of clicks on information security
links on Web sites, the number of statement stuffers or other direct mail communications, the
dollar amount of losses relating to identity theft, etc.
Conclusion
Financial institutions offering Internet-based products and services should have reliable and
secure methods to authenticate their customers. The level of authentication used by the
financial institution should be appropriate to the risks associated with those products and
services. Financial institutions should conduct a risk assessment to identify the types and
levels of risk associated with their Internet banking applications. Where risk assessments
indicate that the use of single-factor authentication is inadequate, financial institutions should
implement multifactor authentication, layered security, or other controls reasonably calculated
to mitigate those risks. The agencies consider single-factor authentication, as the only control
mechanism, to be inadequate in the case of high-risk transactions involving access to customer
information or the movement of funds to other parties.
7
Appendix
10Background
The term
identity of a person or entity. Within the realm of electronic banking systems, the
authentication process is one method used to control access to customer accounts and personal
information. Authentication is typically dependent upon customers providing valid
identification data followed by one or more authentication credentials (factors) to prove their
identity.
Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote
access. An authentication factor (e.g. PIN or password) is secret or unique information linked
to a specific customer identifier that is used to verify that identity.
Generally, the way to authenticate customers is to have them present some sort of factor to
prove their identity. Authentication factors include one or more of the following:
authentication, as used in this guidance, describes the process of verifying the•
correct password or PIN, access is granted.
Something a person knows—commonly a password or PIN. If the user types in the•
Tokens include self-contained devices that must be physically connected to a
computer or devices that have a small screen where a one-time password (OTP) is
displayed, which the user must enter to be authenticated.
Something a person has—most commonly a physical device referred to as a token.•
voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of
authentication is referred to as “biometrics” and often requires the installation of specific
hardware on the system to be accessed.
Authentication methodologies are numerous and range from simple to complex. The level of
security provided varies based upon both the technique used and the manner in which it is
deployed. Single-factor authentication involves the use of one factor to verify customer
identity. The most common single-factor method is the use of a password. Two-factor
authentication is most widely used with ATMs. To withdraw money from an ATM, the
customer must present both an ATM card (
(
customer identity. Authentication methodologies based upon multiple factors can be more
difficult to compromise and should be considered for high-risk situations. The effectiveness of
a particular authentication technique is dependent upon the integrity of the selected product or
process and the manner in which it is implemented and managed.
Something a person is—most commonly a physical characteristic, such as a fingerprint,something the person has) and a password or PINsomething the person knows). Multifactor authentication utilizes two or more factors to verify10
(December 14, 2004) and the FDIC Study Supplement (June 17, 2005).
This Appendix is based upon the FDIC Study – “Putting an End to Account-Hijacking Identity Theft”8
Authentication Techniques, Processes, and Methodologies
Material provided in the following sections is for informational purposes only. The selection
and use of any technique should be based upon the assessed risk associated with a particular
electronic banking product or service.
Shared Secrets
Shared secrets (
by both the customer and the authenticating entity. Passwords and PINs are the best known
shared secret techniques but some new and different types are now being used as well. Some
additional examples are:
something a person knows) are information elements that are known or shared•
amount of the customer’s monthly mortgage payment.
Questions or queries that require specific customer knowledge to answer, e.g., the exact•
The customer’s selection of a shared secret normally occurs during the initial enrollment
process or via an offline ancillary process. Passwords or PIN values can be chosen, questions
can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic
change. Shared secrets that never change are described as “static” and the risk of compromise
increases over time. The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate.
Shared secrets can also be used to authenticate the institution’s Web site to the customer. This
is discussed in the Mutual Authentication section.
Customer-selected images that must be identified or selected from a pool of images.Tokens
Tokens are physical devices (
authentication scheme. Three types of tokens are discussed here: the USB token device, the
smart card, and the password-generating token.
USB Token Device
The USB token device is typically the size of a house key. It plugs directly into a computer’s
USB port and therefore does not require the installation of any special hardware on the user’s
computer. Once the USB token is recognized, the customer is prompted to enter his or her
password (the second authenticating factor) in order to gain access to the computer system.
USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are
tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and
credentials. The device has the ability to store digital certificates that can be used in a public
key infrastructure (PKI) environment.
something the person has) and may be part of a multifactor9
The USB token is generally considered to be user-friendly. Its small size makes it easy for the
user to carry and, as noted above, it plugs into an existing USB port; thus the need for
additional hardware is eliminated.
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables it to store
and process data. Inclusion of the microprocessor enables software developers to use more
robust authentication schemes. To be used, a smart card must be inserted into a compatible
reader attached to the customer’s computer. If the smart card is recognized as valid (first
factor), the customer is prompted to enter his or her password (second factor) to complete the
authentication process.
Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure
vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use.
Their primary disadvantage as a consumer authentication device is that they require the
installation of a hardware reader and associated software drivers on the consumer’s home
computer.
Password-Generating Token
A password-generating token produces a unique pass-code, also known as a one-time password
each time it is used. The token ensures that the same OTP is not used consecutively. The OTP
is displayed on a small screen on the token. The customer first enters his or her user name and
regular password (first factor), followed by the OTP generated by the token (second factor).
The customer is authenticated if (1) the regular password matches and (2) the OTP generated
by the token matches the password on the authentication server. A new OTP is typically
generated every 60 seconds—in some systems, every 30 seconds. This very brief period is the
life span of that password. OTP tokens generally last 4 to 5 years before they need to be
replaced.
Password-generating tokens are secure because of the time-sensitive, synchronized nature of
the authentication. The randomness, unpredictability, and uniqueness of the OTPs
substantially increase the difficulty of a cyber thief capturing and using OTPs gained from
keyboard logging.
Biometrics
Biometric technologies identify or authenticate the identity of a living person on the basis of a
physiological or physical characteristic (
include fingerprints, iris configuration, and facial structure. Physical characteristics include,
for example, the rate and flow of movements, such as the pattern of data entry on a computer
keyboard. The process of introducing people into a biometrics-based system is called
“enrollment.” In enrollment, samples of data are taken from one or more physiological or
physical characteristics; the samples are converted into a mathematical model, or template; and
the template is registered into a database on which a software application can perform analysis.
something a person is). Physiological characteristics10
Once enrolled, customers interact with the live-scan process of the biometrics technology. The
live scan is used to identify and authenticate the customer. The results of a live scan, such as a
fingerprint, are compared with the registered templates stored in the system. If there is a
match, the customer is authenticated and granted access.
Biometric identifiers are most commonly used as part of a multifactor authentication system,
combined with a password (
Various biometric techniques and identifiers are being developed and tested, these include:
something a person knows) or a token (something a person has).•
fingerprint recognition;•
face recognition;•
voice recognition;•
keystroke recognition;•
handwriting recognition;•
finger and hand geometry;•
retinal scan; and•
Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition
and face recognition.
Fingerprint Recognition
Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along
with small unique marks known as minutiae, which are the ridge endings and bifurcations or
branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense
and the density explains why fingerprints are a very reliable means of identification.
Fingerprint recognition systems store only data describing the exact fingerprint minutiae;
images of actual fingerprints are not retained. Fingerprint scanners may be built into computer
keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a
computer.
Fingerprints are unique and complex enough to provide a robust template for authentication.
Using multiple fingerprints from the same individual affords a greater degree of accuracy.
Fingerprint identification technologies are among the most mature and accurate of the various
biometric methods of identification.
iris scan.11Although end users should have little trouble using a fingerprint-scanning device, special
hardware and software must be installed on the user’s computer. Fingerprint recognition
implementation will vary according to the vendor and the degree of sophistication required.
This technology is not portable since a scanning device needs to be installed on each
participating user’s computer. However, fingerprint biometrics is generally considered easier
11
technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing
lost or stolen cards.
Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric11
to install and use than other, more complex technologies, such as iris scanning. Enrollment can
be performed either at the financial institution’s customer service center or remotely by the
customer after he or she has received setup instructions and passwords. According to
fingerprint technology vendors, there are several scenarios for remote enrollment that provide
adequate security, but for large-dollar transaction accounts, the institution should consider
requiring that customers appear in person.
Face Recognition
Most face recognition systems focus on specific features on the face and make a twodimensional
map of the face. Newer systems make three-dimensional maps. The systems
capture facial images from video cameras and generate templates that are stored and used for
comparisons. Face recognition is a fairly young technology compared with other biometrics
like fingerprints.
Facial scans are only as good as the environment in which they are collected. The so-called
“mug shot” environment is ideal. The best scans are produced under controlled conditions
with proper lighting and proper placement of the video device. As part of a highly sensitive
security environment, there may be several cameras collecting image data from different
angles, producing a more exact scan. Certain facial scanning applications also include tests for
liveness, such as blinking eyes. Testing for liveness reduces the chance that the person
requesting access is using a photograph of an authorized individual.
Non-Hardware-Based One-Time-Password Scratch Card
Scratch cards (
generating tokens discussed previously. The card, similar to a bingo card or map location
look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a
grid. The size of the card determines the number of cells in the grid.
Used in a multifactor authentication process, the customer first enters his or her user name and
password in the established manner. Assuming the information is input correctly, the customer
will then be asked to input, as a second authentication factor, the characters contained in a
randomly chosen cell in the grid. The customer will respond by typing in the data contained in
the grid cell element that corresponds to the challenge coordinates.
Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or
defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry.
This type of authentication requires no training and, if the card is lost, replacement is relatively
easy and inexpensive.
something a person has) are less-expensive, “low-tech” versions of the OTPOut-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the individual
originating a transaction to be verified through a channel different from the one the customer is
using to initiate the transaction. This type of layered authentication has been used in the
commercial banking/brokerage business for many years. For example, funds transfer requests,
12
purchase authorizations, or other monetary transactions are sent to the financial institution by
the customer either by telephone or by fax. After the institution receives the request, a
telephone call is usually made to another party within the company (if a business-generated
transaction) or back to the originating individual. The telephoned party is asked for a
predetermined word, phrase, or number that verifies that the transaction was legitimate and
confirms the dollar amount. This layering approach precludes unauthorized transactions and
identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal
point was misplaced and the amount came back as $100,000.00.
In today’s environment, the methods of origination and authentication are more varied. For
example, when a customer initiates an online transaction, a computer or network-based server
can generate a telephone call, an e-mail, or a text message. When the proper response (a
verbal confirmation or an accepted-transaction affirmation) is received, the transaction is
consummated.
Internet Protocol Address (IPA) Location and Geo-Location
One technique to filter an online transaction is to know who is assigned to the requesting
Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either
by an Internet Service Provider or as part of the user’s network. If all users were issued a
unique IPA that was constantly maintained on an official register, authentication by IPA would
simply be a matter of collecting IPAs and cross-referencing them to their owners. However,
IPAs are not owned, may change frequently, and in some cases can be “spoofed.”
Additionally, there is no single source for associating an IPA with its current owner, and in
some cases matching the two may be impossible.
Some vendors have begun offering software products that identify several data elements,
including location, anonymous proxies, domain name, and other identifying attributes referred
to as “IP Intelligence.” The software analyzes this information in a real-time environment and
checks it against multiple data sources and profiles to prevent unauthorized access. If the
user’s IPA and the profiled characteristics of past sessions match information stored for
identification purposes, the user is authenticated. In some instances the software will detect
out-of-character details of the access attempt and quickly conclude that the user should not be
authenticated.
Geo-location technology is another technique to limit Internet users by determining where they
are or, conversely, where they are not. Geo-location software inspects and analyzes the small
bits of time required for Internet communications to move through the network. These
electronic travel times are converted into cyberspace distances. After these cyberspace
distances have been determined for a user, they are compared with cyberspace distances for
known locations. If the comparison is considered reasonable, the user's location can be
authenticated. If the distance is considered unreasonable or for some reason is not calculable,
the user will not be authenticated.
IPA verification or geo-location may prove beneficial as one factor in a multifactor
authentication strategy. However, since geo-location software currently produces usable
13
results only for land-based or wired communications, it may not be suitable for some wireless
networks that can also access the Internet such as cellular/digital telephones.
Mutual Authentication
Mutual authentication is a process whereby customer identity is authenticated and the target
Web site is authenticated to the customer. Currently, most financial institutions do not
authenticate their Web sites to the customer before collecting sensitive information. One
reason phishing attacks are successful is that unsuspecting customers cannot determine they
are being directed to spoofed Web sites during the collection stage of an attack. The spoofed
sites are so well constructed that casual users cannot tell they are not legitimate. Financial
institutions can aid customers in differentiating legitimate sites from spoofed sites by
authenticating their Web site to the customer.
Techniques for authenticating a Web site are varied. The use of digital certificates coupled
with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared
secrets such as digital images is another. Digital certificate authentication is generally
considered one of the stronger authentication technologies, and mutual authentication provides
a defense against phishing and similar attacks.
Customer Verification Techniques
Customer verification is a related but separate process from that of authentication. Customer
verification complements the authentication process and should occur during account
origination. Verification of personal information may be achieved in three ways:
•
information available from trusted third party sources. More specifically, a financial
institution can verify a potential customer's identity by comparing the applicant's answers
to a series of detailed questions against information in a trusted database (e.g., a reliable
credit report) to see if the information supplied by the applicant matches information in the
database. As the questions become more specific and detailed, correct answers provide
the financial institution with an increasing level of confidence that the applicant is who
they say they are.
Positive verification to ensure that material information provided by an applicant matches•
telephone area code, ZIP code, and street address match).
Logical verification to ensure that information provided is logically consistent (e.g., do the•
associated with fraudulent activity. For example, applicant information can be compared
against fraud databases to determine whether any of the information is associated with
known incidents of fraudulent behavior. In the case of commercial customers, however,
the sole reliance on online electronic database comparison techniques is not adequate since
certain documents (e.g., bylaws) needed to establish an individual's right to act on a
company's behalf are not available from databases. Institutions still must rely on
traditional forms of personal identification and document validation combined with
electronic verification tools.
Negative verification to ensure that information provided has not previously been14
Another authentication method consists of the financial institution relying on a third party to
verify the identity of the applicant. The third party would issue the applicant an electronic
credential, such as a digital certificate, that can be used by the applicant to prove his/her
identity. The financial institution is responsible for ensuring that the third party uses the same
level of authentication that the financial institution would use itself.
Press Releases
Federal Financial Institutions Examination Council
Press ReleaseFor Immediate Release
October 12, 2005FFIEC Releases Guidance on Authentication in Internet Banking Environment
The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance on the
risks and risk management controls necessary to authenticate the identity of customers accessing Internetbased
financial services. The guidance,
reflect the many significant legal and technological changes with respect to the protection of customer
information, increasing incidents of identity theft and fraud, and the introduction of improved authentication
technologies and other risk mitigation strategies.
The continued growth of Internet banking and other forms of electronic banking activities and the increased
sophistication of threats to those environments have resulted in higher risks for financial institutions and their
customers. An effective authentication system is necessary for financial institutions’ compliance with
requirements to safeguard customer information; to prevent money laundering and terrorist financing; to
reduce fraud and the theft of sensitive customer information, often the precursor to identity theft; and to
promote legal enforceability of financial institutions’ electronic agreements and transactions.
This guidance, which replaces the FFIEC’s
2001, does not endorse any particular technology. This guidance specifically addresses the need for riskbased
assessment, customer awareness, and financial institutions’ implementation of appropriate risk
mitigation strategies including security measures to reliably authenticate customers accessing their financial
institutions’ Internet-based services.
The guidance is divided into two parts. The main portion of the guidance provides financial institutions with
guidance on authentication and discusses appropriate risk assessments, customer authentication, verification
of new customers, and monitoring and reporting. An appendix provides more detail about various
authentication technologies.
The agencies’ transmittal documents accompanying the guidance contain a consistent timeframe for financial
institutions to achieve conformance. In light of the catastrophic events associated with recent natural
disasters, namely Hurricanes Katrina and Rita, affected financial institutions will face many challenges
during the recovery process. These challenges may affect their ability to conform to the guidance within the
specified time frame. Affected financial institutions will be afforded an extension, when circumstances
warrant, for achieving conformance with the guidance.
A copy of the guidance is attached (PDF).
Authentication in an Internet Banking Environment, was issued toAuthentication in an Electronic Banking Environment issued inMedia Contacts:
Federal Reserve Andrew Williams (202) 452-2955
FDIC David Barr (202) 898-6992
NCUA Cherie Umbel (703) 518-6330
OCC Dean DeBuck (202) 874-5770
OTS Erin Hickman (202) 906-6677
Abonați-vă la:
Postări (Atom)