Partial Revision of the "Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc." (Draft)The US OpenID Foundation has submitted the following public comments to the US OpenID Foundation regarding the so-called securities fraud response. The US OpenID Foundation website is only available in English, so we are posting the Japanese version here.
Public comments on the draft Comprehensive Supervision Guidelines for Financial Instruments Business Operators (Comparison Table of Old and New Guidelines)
1. Evaluation of the FSA and the significance of the proposed revisions
First of all, I would like to express my deep respect for the overall picture of this proposed revision. This revision of the Supervisory Guidelines is extremely significant, as it provides concrete and realistic guidelines for the entire industry to take effective measures against cyber threats such as phishing and unauthorized access, which have become increasingly sophisticated and ingenious in recent years. In particular,Mandatory phishing-resistant multi-factor authenticationAndEnhanced behavioral detection,Systematization of measures to prevent fraudulent transactionsWe highly appreciate the inclusion of high-level international requirements, such as the above. Furthermore, the structure that encourages the use of industry guidelines and information-sharing organizations such as ISACs is not simply a regulation, but a practical framework premised on "continuous improvement," and we believe it can be said to be a model case for supervisory guidelines.
2. Issues and improvement suggestions
(1) P.5 Regarding the prohibition of links in emails and SMS
The proposed revision states that "URLs of pages or login links that prompt users to enter their passwords should not be included in emails or SMS messages," and while this is important from the perspective of protecting users, in practice there are cases where links are sent for legitimate reasons (password reset links, magic links, WebOTP-compatible SMS, etc.). WebOTP in particular is a technology that is highly resistant to phishing, as it works in conjunction with the browser to automatically enter information into the correct site without human intervention.
On the other hand, it is expected that attackers will continue to send messages containing useful links.Rather than a blanket ban, it is "prohibited in principle, and only permitted when there are no appropriate alternatives"We believe that it would be better to move the positioning of the measure to a later stage as a "supplementary measure to ensure security," in order to strike a balance between user convenience and security.
(2) P.5 Positioning of measures to verify authenticity of the site
"Measures to verify that the site the user is accessing is authentic" are also important, but measures that rely on human visual recognition have limited resistance to phishing.Additional measures are listed belowHowever, we believe the primary defense should be automated, encryption-based, phishing-resistant authentication technology.
(3) P.6 Implementation and Mandatory Use of Phishing-Resistant Multi-Factor Authentication
It is extremely important to "make phishing-resistant multi-factor authentication mandatory for important operations such as logging in, withdrawing funds, and changing the withdrawal bank account." However, in practice, there are many cases where customers themselves revert to password authentication due to the hassle of setting it up, or password authentication remains only for special transaction accounts. Needless to say, even if advanced authentication is set up for transactions, it is meaningless if password authentication accounts remain.
for that reason,Once advanced authentication is set up, passwords are abolished and users cannot change them back.It is desirable to clearly state this. In addition, by utilizing the current risk-based authentication concept,Password for login and passkey for transactionsThis will allow securities firms that do not provide APIs to continue using Personal Finance Manager (PFM) and reduce risks. In the medium term,Simultaneous cutover of API provisioning and advanced authenticationThis is expected to help prevent fraud while minimizing the impact on consumers.
(4) Ensuring safety when registering authentication methods
There is a risk that an attacker may use password login as a foothold to register their own passkey.Initial registration of advanced authentication such as a passkey is permitted only within a session that has undergone strong identity verification such as public personal authentication.It should be clearly stated that
(5) P.6 Continuous application of behavior detection
The current proposal recommends behavioral detection as a temporary measure until passkeys are made mandatory.Session hijacking and unauthorized manipulation can still occur even after passkeys are introducedTherefore, behavioral detection and analysis should be a permanent requirement.
(6) P.6 Risks of account lockout and alternatives
"Automatic account locking when authentication fails repeatedly" is especially important when using sequential customer numbers as login identifiers.DoS attacks causing large-scale account lockouts and call center saturation attacksIt is expected that attackers will take advantage of this confusion to take over accounts.Delayed response (e.g., 1 minute wait) or additional authentication requestis effective, and account locking should be considered a last resort.
(7) Strengthening session security and inter-company collaboration
This proposal seems to be somewhat weak in terms of session security.Permission restriction by detecting changes in the browser and IP address of the cookie senderAndSharing abnormal transaction detection information between businesses(For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recommend the use of the OpenID Shared Signals Framework.) By including such information, it becomes possible to prevent fraud on a wide scale.
(8) Terminology Review: From “Multi-Factor Authentication” to “Advanced Authentication” or “Secure Customer Authentication”
Although it seems fine because "phishing-resistant" has been added in various places, the term "multi-factor authentication" is generally too broad, and there is a risk that low-quality multi-factor authentication will be adopted automatically. What this proposal really needs to emphasize is resistance to various threats, including "phishing resistance." Replacing and supplementing the terminology will clarify the intention and is expected to improve quality in practice.
3. Conclusion
This proposed revision is not merely a formal regulation, but emphasizes effectiveness in light of the latest attack methods and technological trends. We view it as a pioneering attempt to balance user protection with convenience. The proposed improvements are designed to achieve both higher levels of defense and operational feasibility, taking into account on-site practices and the latest international trends. We have high expectations and respect for the FSA's continued leadership in formulating such high-level guidelines.