Archive for Sunday, October 30, 2005

Banking to receive security upgrade

Regulators want two-factor authentication

October 30, 2005


— If you do banking over the Internet, generally the drill is pretty simple: You enter your user name and password, and away you go.

But behind the scenes, the bank can do a lot to check you out: Are you at your home computer, or at one with an Internet address that, strangely, is registered overseas? Are you logging on at an unusual time of day, or from a super-fast connection when normally you have dial-up?

This kind of analysis is one example of the layers that bank Web sites will be adding by the end of 2006 to meet new demands from federal regulators for "two-factor" authentication. That essentially means checking something more than just user name and password to verify a customer's identity.

"Phishers" and other Internet fraud artists have become adept at stealing passwords, mainly through "social engineering." Preying on people's propensity to believe something seemingly authoritative, criminals send authentic-looking e-mails that send unsuspecting people to an authentic-looking Web site where they give away their data.

Many banks overseas, where data-privacy laws are stronger, already have deployed a second level of authentication. They give customers specialized hardware, such as a "smart card" or an electronic token that displays a changing series of passcodes.

Cost-conscious U.S. banks are unlikely to go as far. Instead, they'll probably perform tweaks inside their own Web servers that most of us will barely notice.

"We're trying to come up with something here that's very user-friendly," said Jim Maloney, chief security executive of Corillian Corp., a Web-banking services company.

If the software raises red flags about a user's profile - because, say, he one day logs in from Denmark instead of Denver - the bank can confirm his identity by asking a series of questions that only he is likely to know, such as the amount of his last mortgage payment, or the street he grew up on.

That kind of fraud detection has long existed on credit cards, and the fact that Web banking has yet to widely deploy it says a lot about the state of the industry.

However, on Oct. 12, the Federal Financial Institutions Examination Council, an umbrella group of U.S. regulators including the Federal Reserve and the Federal Deposit Insurance Corp., told banks to strengthen their online authentication by the end of 2006. Auditors will examine those efforts in regular inspections.

The policy was widely interpreted as a boost for security providers, who are tired of seeing banks kick the tires of two-factor authentication services but generally not buy.


Use the comment form below to begin a discussion about this content.

Commenting has been disabled for this item.