The recent "flash crash" experienced by Mt. Gox has led me to discover how large, traditional banks secure their websites. I've looked through the forums, and haven't seen anything similar. Here's what I've discovered...
The Federal Financial Institutions Examination Council (FFIEC) InfoBase was established by Congress in 1979 to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, to make recommendations to promote uniformity in the supervision of financial institutions, and to conduct schools for examiners.
From
www.ffiec.govThe Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).
The FFIEC (Federal Financial Institutions Examination Council) has developed a set of "IT Booklets" outlining their standards for compliance for all aspects of banking. IT Booklets governing "E-Banking" can be found at
http://ithandbook.ffiec.gov/it-booklets/e-banking.aspx.
I'll be spending time reading through these IT Booklets over the next few days to see where Mt. Gox got it wrong. It's almost certain they did not harden their systems to any sort of standards, but it'll help me to know how a bank does it right, and understand what is required to secure an E-Bank properly.
From the FFIEC Wiki (
http://en.wikipedia.org/wiki/Federal_Financial_Institutions_Examination_Council)
FFIEC compliance is conformance to a set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC). The standards require multifactor authentication (MFA) because single-factor authentication (SFA) has proven inadequate against the tactics of increasingly sophisticated hackers, particularly on the Internet. In MFA, more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, SFA involves only a user ID and password.
Authentication methods that can be used in MFA include biometric verification such as fingerscanning, iris recognition, facial recognition and voice ID. In addition to these methods,smart cards and other electronic devices can be used along with the traditional user ID and password. The outstanding feature of the FFIEC guidelines is the requirement thatencryption be used in all online transaction processing(OLTP) done by financial institutions. The level of encryption must be sufficient to prevent unauthorized disclosure within a bank's internal networks and among shared external networks.
In order to determine whether or not an institution is in compliance with FFIEC guidelines, comprehensive assessments of the internal environment must be conducted to identify potential security weaknesses and threats. Then goals must be set, solutions implemented and periodic risk assessments performed in order to maintain an adequate level of security.
