Monday, November 28, 2005
US Mandates More Security in Online Banking
Online banking, advertised by banks as nearly effortless, is about to become more cumbersome.
Federal regulators, alarmed by the threat of online financial fraud, are requiring banks by the end of 2006 to provide several layers of identify verification before customers can access their accounts and conduct other banking over the Internet. In addition to standard passwords, customers may soon need a unique digital "fingerprint" that will identify their computer for the bank, or may scan a copy of their real fingerprints to identify themselves to the bank's network. Another, more cumbersome method would have customers carrying keyfob-sized electronic "tokens" that authenticate their identity.
With some 53 million Americans paying bills, checking account balances, and doing other banking online, Internet fraud has become a growing threat to the popularity of Internet business transactions. Research firm Gartner estimated in a June report that 2.5 million people lost money in so-called "phishing" attacks last year. Phishing involves thieves who try to dupe customers into providing account numbers and other sensitive information by directing them to phony Web sites that resemble a legitimate business -- frequently a bank. Federal financial regulators say these threats are scaring away many potential customers. "Banks have to do something to secure the Internet for online banking," said David Barr, a spokesman for the Federal Deposit Insurance Corporation, one of five federal agencies behind the mandate. "If not, customers may not accept this kind of banking in the U.S."
The federal plan doesn't require or endorse any one kind of technology or verification process. Rather, banks can choose from a variety of methods suggested by authorities to provide at least a two-step process to verify customers' identities. The concept, called "two-factor authentication," is based on the idea of combining a standard password with some other identity test that is harder to steal or fake. The use of two identity tests should make it more difficult for thieves to raid accounts.
The Federal Financial Institutions Examination Council, a consortium of five banking regulators including the FDIC, detailed the security requirements in a 14-page report issued last month. Institutions that do not have adequate two-factor authentification in place by the end of next year face sanctions, including fines. Within the next six months, online customers of Bank of America will gain access to accounts through SiteKey, a multistep process that combines passwords with user-selected test questions and a digital system that "fingerprints" the user's computer. The kind and amount of verification involved would differ depending on which computer a customer uses to access an account -- the home PC, one at work, or a laptop on the road, for example.
The digital fingerprint system captures the serial numbers of computer parts, such as the hard drive. These numbers are used to generate a unique ID for the machine. Whenever a customer connects to Bank of America's Web site, the bank's online system recognizes the computer by the fingerprint and allows the customer to log on with a simple password. When customers are banking from home, SiteKey will quiz them -- the name of their high school mascot, for example.
SiteKey also includes a feature for customers to ensure they are using the real Bank of America Web site. When they sign up for online banking access, customers choose one picture from a number of offerings -- the photo of a puppy, for instance -- that will always appear when they bank at the site. If the picture doesn't match the selection, the customer knows that the site could be a fake. Portland, Maine-based TD Banknorth is working on a computer fingerprinting plan similar to Bank of America's to meet the federal guidelines, said Michael O'Connor, the company's risk contingency manager. Next year, Sovereign Bank plans to roll out a two-way, two-factor authentification process, said Marianne Doran-Collins, director of online banking.
The federal guidelines suggest that banks could use biometric systems that identify a person's actual fingerprints or retinal patterns. But customers would have to buy fingerprint or retinal scanners, and they would still need a different verification method when using a different computer that doesn't have the scanners. Customers could log in anywhere if they had a "token," an electronic gadget about the size of a car key that generates random passwords -- typically a series of numbers that change every minute or so. In addition to traditional passwords, users would type in the number sequence displayed on the token at that moment, which would match the sequences being monitored by the bank's network. In the United States, New York online brokerage firm E*Trade Financial is offering tokens to customers who want extra security for their accounts. The tokens are free to customers with account balances of $50,000 or more, or $25 for those with smaller balances.
Bank of America, for one, said it will not make its online customers carry the tokens. "We assessed the use of tokens, but customers were telling us they didn't want to carry something else around," said Gayle Wellborn, online products and services executive at Bank of America. James Danaher, a manager at Kronos in Chelmsford, Mass., said Bank of America's online security procedures are already a nuisance; a token would be too much for him. "I would switch banks," Danaher said.
For more information on Internet Fraud, please visit Guardian eCommerce.
Federal regulators, alarmed by the threat of online financial fraud, are requiring banks by the end of 2006 to provide several layers of identify verification before customers can access their accounts and conduct other banking over the Internet. In addition to standard passwords, customers may soon need a unique digital "fingerprint" that will identify their computer for the bank, or may scan a copy of their real fingerprints to identify themselves to the bank's network. Another, more cumbersome method would have customers carrying keyfob-sized electronic "tokens" that authenticate their identity.
With some 53 million Americans paying bills, checking account balances, and doing other banking online, Internet fraud has become a growing threat to the popularity of Internet business transactions. Research firm Gartner estimated in a June report that 2.5 million people lost money in so-called "phishing" attacks last year. Phishing involves thieves who try to dupe customers into providing account numbers and other sensitive information by directing them to phony Web sites that resemble a legitimate business -- frequently a bank. Federal financial regulators say these threats are scaring away many potential customers. "Banks have to do something to secure the Internet for online banking," said David Barr, a spokesman for the Federal Deposit Insurance Corporation, one of five federal agencies behind the mandate. "If not, customers may not accept this kind of banking in the U.S."
The federal plan doesn't require or endorse any one kind of technology or verification process. Rather, banks can choose from a variety of methods suggested by authorities to provide at least a two-step process to verify customers' identities. The concept, called "two-factor authentication," is based on the idea of combining a standard password with some other identity test that is harder to steal or fake. The use of two identity tests should make it more difficult for thieves to raid accounts.
The Federal Financial Institutions Examination Council, a consortium of five banking regulators including the FDIC, detailed the security requirements in a 14-page report issued last month. Institutions that do not have adequate two-factor authentification in place by the end of next year face sanctions, including fines. Within the next six months, online customers of Bank of America will gain access to accounts through SiteKey, a multistep process that combines passwords with user-selected test questions and a digital system that "fingerprints" the user's computer. The kind and amount of verification involved would differ depending on which computer a customer uses to access an account -- the home PC, one at work, or a laptop on the road, for example.
The digital fingerprint system captures the serial numbers of computer parts, such as the hard drive. These numbers are used to generate a unique ID for the machine. Whenever a customer connects to Bank of America's Web site, the bank's online system recognizes the computer by the fingerprint and allows the customer to log on with a simple password. When customers are banking from home, SiteKey will quiz them -- the name of their high school mascot, for example.
SiteKey also includes a feature for customers to ensure they are using the real Bank of America Web site. When they sign up for online banking access, customers choose one picture from a number of offerings -- the photo of a puppy, for instance -- that will always appear when they bank at the site. If the picture doesn't match the selection, the customer knows that the site could be a fake. Portland, Maine-based TD Banknorth is working on a computer fingerprinting plan similar to Bank of America's to meet the federal guidelines, said Michael O'Connor, the company's risk contingency manager. Next year, Sovereign Bank plans to roll out a two-way, two-factor authentification process, said Marianne Doran-Collins, director of online banking.
The federal guidelines suggest that banks could use biometric systems that identify a person's actual fingerprints or retinal patterns. But customers would have to buy fingerprint or retinal scanners, and they would still need a different verification method when using a different computer that doesn't have the scanners. Customers could log in anywhere if they had a "token," an electronic gadget about the size of a car key that generates random passwords -- typically a series of numbers that change every minute or so. In addition to traditional passwords, users would type in the number sequence displayed on the token at that moment, which would match the sequences being monitored by the bank's network. In the United States, New York online brokerage firm E*Trade Financial is offering tokens to customers who want extra security for their accounts. The tokens are free to customers with account balances of $50,000 or more, or $25 for those with smaller balances.
Bank of America, for one, said it will not make its online customers carry the tokens. "We assessed the use of tokens, but customers were telling us they didn't want to carry something else around," said Gayle Wellborn, online products and services executive at Bank of America. James Danaher, a manager at Kronos in Chelmsford, Mass., said Bank of America's online security procedures are already a nuisance; a token would be too much for him. "I would switch banks," Danaher said.
For more information on Internet Fraud, please visit Guardian eCommerce.
