IE 11 is not supported. For an optimal experience visit our site on another browser.

Online banking moving beyond the password

By the end of next year, it may take more than just a user ID and password for bank customers to access their accounts online.
/ Source: contributor

For Victoria Powers, online banking is a lifesaver. The 68 year-old resident of Eugene, Oregon uses LibertyBank’s Web site because she finds it less time-consuming than traditional banking. She simply types in her identification number and password on and pulls up her account. From there she can check her balance, pay bills and transfer funds into savings accounts for her grandchildren.

"Since we immediately know that the money's there, we can go ahead and pay our bills and be on time with them," she said.

But by the end of next year, it may take more than just an ID number and password for Powers and other bank customers to access their online accounts. In the face of increasing online banking fraud, federal agencies announced they are requiring all financial institutions in the country to beef up their Internet security measures by the end of 2006. That means customers may soon have to navigate through more security screens.

Tighten up or else
The Federal Financial Institutions Examination Council (FFIEC), which consists of five federal agencies including the Federal Deposit Insurance Corp. (FDIC) and the Federal Reserve, released a report in October stating that account fraud and identity theft often occurs due to the simple "password/ID" security mechanism customers use to access their accounts. Banks must conduct risk assessments of their online banking features and, if the password/ID feature is inadequate, institutions should strengthen ID verification, the report stated.

Federal regulators will examine a bank's risk assessment and determine whether its online security is sufficient. The deadline for meeting the requirement is the end of 2006. Banks that don’t comply may face civil monetary penalties or cease-and-desist orders.

FDIC spokesman David Barr said the moves are necessary, even if they make it more cumbersome for customers to access their accounts. "We have to balance the ease and convenience with security," he said. "If we don't do anything, criminals will become more sophisticated in separating people and their money.”

One of the most prevalent new online attacks is "phishing," where hackers send e-mails that resemble official bank communications to customers. They set up lookalike websites where duped customers enter their password/ID information. According to the research firm Gartner Inc., 73 million Americans said they received phishing e-mails in the 12 months ending in May 2005, an increase of 28 percent over the previous year.

According to Barr, the trend is growing. "Over time, we're seeing more and more e-mails reporting phishing activities, often coming from smaller and smaller banks," he said.
"Hackers are moving out and expanding their operations to smaller institutions because the big banks like Bank of America are phished out."

In its report, FFIEC officials outlined a variety of technologies banks can use as extra identification layers. They include "smart cards," which are inserted into a computer and prompt the customer to provide a password, key fobs that generate random access codes, and sophisticated software systems with biometric technologies to identify users with fingerprints or voice patterns.

Avivah Litan, banking analyst for Gartner Inc., said computer fingerprinting is likely to be the most popular option for both banks and customers. The bank keeps track of which computer a customer most commonly uses to access their account. If the customer uses another computer, it would set off a second series of security measures, like a set of preset questions or image recognition.

"It's the most transparent measure in that it doesn't interfere much with current online services and customers probably won’t notice any change in convenience," said Litan.

Litan also believes that neither hardware tokens nor biometric devices like thumbprint readers will be as prevalent as computer fingerprinting due to the high costs of the additional equipment required. “It’s just too expensive. Banks won’t pay $20 a token per person annually because there’s not enough fraud to justify the cost. Security must be cost-effective.”

What are banks doing?
Analysts following the banking industry say that banks are in various stages of preparing for the Federal mandate next year. Bank of America is the first out of the gate with its new SiteKey picture-recognition service, which it will require all customers to use starting in early 2006. Customers choose a picture when they first visit and are presented their choices in subsequent visits to assure them the site is not fake.

This month, Washington Mutual announced that it now uses a version of computer fingerprinting that analyzes every online login and transaction, scores the potential risk of identity theft based on a broad range of criteria, and invokes additional authentication methods if needed.

Because big banks are bulking up their online security measures, phishers and scammers are reportedly moving down the chain to medium-sized and small banks, but Litan said many of them are well prepared to meet the threats.

“Many smaller banks and credit unions are ahead of the curve in security than larger banks with hundreds of thousands of customers. They’ve put more money into security measures, and they have better, face-to-face relationships with customers who actually read the literature they send about protecting themselves against identity theft.”

As for customers’ opinions, Victoria Powers is one who says she doesn't like things really difficult but that one extra layer of online security couldn't hurt.

"If they want to implement one more step, I'll do it. But if it's six more steps, I'll say, 'Forget about it' and just go to the bank."