Banks are required by law to follow government regulations; these subject the banks to specific requirements, restrictions and guidelines. The end goal being, among other things, transparency.
What about setting specific requirements for banking website security? Pew Research Center statistics reveal
that 51% of U.S. adults bank online and 35% of cell phone owners bank using their mobile phones. That was from a study performed in August 2013, as of January 2015 I'm sure those numbers are likely higher.
I count myself as one of those who performs bank transactions online and from my mobile phone. As a security professional, this has me wondering why aren't there federal standards for online banking security?
A cursory check of the security of my banks' on-line site shows me that it lacks strong encryption and cipher standards. The lack of stronger encryption isn't enough to merit I stop using website banking, but as a customer I would feel safer knowing stronger crypto was in place. As an Information Security professional I would feel safer knowing there were a set of common standards that all online banking sites were required to meet.
This brings me back to my thought experiment: just as banks are regulated to meet specific financial criteria, so they should be required, by regulation, to meet strong encryption standards for online banking.
Once a set of security standards becomes Federal standard regulation, banks would be regularly checked to verify they adhere to those standards, and if they fail to meet the minimum standard, then heavy fines would be levied for non-compliance.
What would be the requirements for strong site cryptography and who would make the final call on those requirements? It seems logical it could fall under the non-partisan agency NIST.
What would you consider as strong standards? That would be a spirited debate and decision for all involved, but I would like to see all bank sites required to support 2FA.
What do you think about mandatory online banking security standards? Please leave a comment with your thoughts.
Happy and Safe Computing!
About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.