Skip to content ↓ | Skip to navigation ↓

Banks are required by law to follow government regulations; these subject the banks to specific requirements, restrictions and guidelines. The end goal being, among other things, transparency.

What about setting specific requirements for banking website security? Pew Research Center statistics reveal that 51% of U.S. adults bank online and 35% of cell phone owners bank using their mobile phones. That was from a study performed in August 2013, as of January 2015 I’m sure those numbers are likely higher.

I count myself as one of those who performs bank transactions online and from my mobile phone. As a security professional, this has me wondering why aren’t there federal standards for online banking security?

A cursory check of the security of my banks’ on-line site shows me that it lacks strong encryption and cipher standards. The lack of stronger encryption isn’t enough to merit I stop using website banking, but as a customer I would feel safer knowing stronger crypto was in place. As an Information Security professional I would feel safer knowing there were a set of common standards that all online banking sites were required to meet.

This brings me back to my thought experiment: just as banks are regulated to meet specific financial criteria, so they should be required, by regulation, to meet strong encryption standards for online banking.

Once a set of security standards becomes Federal standard regulation, banks would be regularly checked to verify they adhere to those standards, and if they fail to meet the minimum standard, then heavy fines would be levied for non-compliance.

What would be the requirements for strong site cryptography and who would make the final call on those requirements? It seems logical it could fall under the non-partisan agency NIST.

What would you consider as strong standards? That would be a spirited debate and decision for all involved, but I would like to see all bank sites required to support 2FA.

What do you think about mandatory online banking security standards? Please leave a comment with your thoughts.

Happy and Safe Computing!

About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.

Tripwire CCM Express Free Trial
  • koray

    In Turkey we have BRSA regulations on Internet Banking. Not good enough to secure all areas but the low level of security espically on authentication was defined.

  • Andrew Yeomans

    If the lack of strong encryption isn't enough to stop you banking there, then you have clearly made the same risk judgement that your bank has. No doubt your bank is also looking at a number of other issues, how many customers would be lost as their browser don't support the higher encryption or the customers who just can't come to terms with 2FA.

    I wonder how much evidence there is that stronger encryption materially improves security. It's clearly "better", but how much so? Would the investment in updating servers and keys be better spent in detective security, for example? Some regulators do dictate standards, the Monetary Authority of Singaport requires 2FA, the Italian Data Protection Act requires 8+ character passwords, etc. Perhaps someone could compare the effectiveness of these measures, as that would potentially generate a strong business argument to deploy the most effective methods.

  • Caffeineguru

    This would probably fall under guidance from the FFIEC, But I could see NIST having a say in things. I think Andrew makes the right point by bringing up the cost/benefit analysis. Mobile banking is still seen as a "perk", a feature to draw customers in, and the average bank customer views 2FA as a hurdle. The average banking customer also has no idea what encryption level is being used and doesn't make their decision to use a financial institution based on encryption at all. So what is the motivation for FI's to increase encryption or add 2FA? Especially with encryption- there is virtually no threat to most encryption levels because it's far easier to compromise authentication credentials. 2FA would actually have an impact on fraud but between the cost of implementation and the number of customers lost, there isn't much motivation for FI's to adopt it (although I believe this may be changing, finally).

    I'm not saying I, personally, wouldn't want to see these required, I'm just saying FI's don't see an advantage and the lobby will be against it. Something that may be easier to push for and easier to get FI's to adopt would be to require forward secrecy. Relatively cheap to implement, mitigates much of the risk with encryption and wouldn't have as many issues with legacy browsers (I think).