U.S. banks are exploring new online banking security technologies ahead of a year-end federal deadline to voluntarily deploy better identity theft countermeasures or risk mandated changes.
New password systems, site verification measures and monitoring of usage are among the steps either already deployed or being evaluated by major U.S. banks.
An estimated 53 million Americans used computers to monitor account balances, borrow and transfer money, and pay bills in 2005, up 47 percent from 2002, according to the Pew Internet and American Life Project.
Last August, U.S. financial regulators urged banking Web sites to bolster security after a Federal Deposit Insurance Corp. (FDIC) report showed identity theft via online banking fraud was one of the fastest growing crimes.
The FDIC — responsible for insuring most consumer accounts — followed with a warning that banks must comply with the guidance "no later than year-end 2006."
"We saw that the industry was very slow in adopting increased security measures," Michael Jackson, associate director of the FDIC's technology supervision unit, told Reuters in an interview.
Bank of America Inc. has already altered its login process. In addition to asking for a user name and password, consumers are now shown a picture or "site key" to verify they are on an authentic Bank of America site.
Site keys help users spot fake sites set up to steal personal information, said Christopher Voice, chief technology officer of security software maker Entrust Inc.
Jackson said U.S. banks are generally "moving in the right direction" in assessing technology risks, but few have made visible security changes.
"We need the whole industry to step it up and strengthen ... as far as security controls go," he said.
Fear of alienating customers
Banks recognize they must increase online security, but are equally concerned that making Web sites harder to use will drive customers back to telephone and branch banking.
"Telephone transactions cost banks 10 times as much to process as Internet transactions. And an in-branch transactions cost 100 times Internet transactions," Voice said.
About 18 percent of online bank customers have already cut back or stopped banking online completely because of security worries, according to an Entrust survey.
And fear of identity theft also prevents users from trying new online options.
"There is finally enough consumer demand and theft to make the business case (for enhanced security)," said Jim Bruene, editor of Online Banking Report.
Wachovia Corp. and Wells Fargo Inc. are evaluating security changes that may minimize the changes apparent to customers.
"Our direction for changes is more forensics-based," said Alecia Kontzen, head of Wachovia's risk management. "We don't want users to jump through hoops all of the time."
Wachovia is considering a system that would recognize individual computers, typical transaction behavior and then automatically scan for fraudulent activity. Bank of America already has a system in place to ask extra security questions if a customer tries to login from an unknown computer.
Wells Fargo and Co. is testing a solution in which money wires require extra security steps, said Jim Smith, the bank's executive vice president of consumer online banking.
Online brokerage and banking pioneer E*Trade Financial Corp. offers customers the strongest security protection available, with a constantly changing numeric password via small electronic devices, or "tokens."
E*Trade customers with accounts over $50,000, or who trade stocks frequently, get free tokens. Others pay a one-time $25 fee.
Banks, however, are unlikely to widely adopt security fees because 81 percent of online customers are unwilling to pay them, the Entrust survey found. Instead, banks want to keep costs down and even turn security expenses into investments gains.
Wachovia, for example, has invested in security software company Arcot Systems Inc. and is evaluating a login system that avoids sending user names and passwords over the Internet. Other companies are evaluating paper "bingo cards" to provide users with an inexpensive version of E*Trade's token system.
FDIC's Jackson said he is not interested in mandating specific methods to protect consumer data, but the threat of FDIC action remains if banks fail to upgrade security.
"The important thing is we have it (enforcement authority) and the banks know we have it," he added.