U.S. regulators are demanding that banks improve security measures to reliably authenticate customers accessing Internet services, and have given them until the end of 2006 to implement those systems.
In a letter sent to banks last week, the Federal Financial Institutions Examination Council—an umbrella group of regulators—said that the use of single-factor authentication, such as user name and password, was inadequate for safeguarding against account fraud and identity theft. Instead, the regulators said, banks should implement dual-factor authentication, which relies on something the consumer has, such as hardware tokens or smart cards, as well as something the consumer knows, such as passwords or birth dates.
The regulators said that single-factor authentication is inadequate for protecting against Internet-level scams such as phishing and pharming. Banks have been directed to conduct a risk assessment process, including identification of all transactions and access levels associated with Internet-based transactions, and to assess authentication methodologies.
According to the Anti-Phishing Working Group, 85% of the 14,000 unique phishing reports in August were directed against financial institutions.
Many financial institutions, both inside and outside the United States, are in the process of adopting strong authentication technology. In the United Kingdom, Lloyds TSB last week launched a trial with 30,000 customers of an Access Code Device that generates a one-time, six-digit number every time a customer logs in to the Lloyds banking site. After a customer logs in using the normal ID and password, he or she is prompted to press a button on the key-ring size device, which then generates the code. The customer types in this code, which is verified by the bank, and then normal transactions proceed.
MasterCard International has developed a Chip Authentication Programme, in which credit or debit cards are implanted with a special chip that generates a one-time password when the card is entered into a hand-held card reader supplied by the customer's bank. Banka Koper in Slovenia has issued cards and readers to all of its retail and commercial customers. Banks in other parts of the world have also adopted the program, says Pascal DuFour, VP and head of chip product management at MasterCard.
With the newly issued federal regulations, U.S. banks might be inclined to follow their non-U.S. counterparts in enrolling in the Chip Authentication Programme, says DuFour.
E-Trade Financial Corp. is giving customers with $50,000 or more in their accounts a free Digital Security ID device from RSA Security that displays a new six-digit code every 60 seconds. The online trader has signed up more than 10,000 customers for the service, which it is promoting heavily through its Web site.
The Financial Services Technology Consortium, a banking-industry group, is developing a "reference architecture" for mutual authentication, in which both the bank and the customer are required to authenticate themselves. The project, which is composed of financial institutions and security vendors, plans to have standards definitions and a reference implementation completed by the end of January, says Christine Nautiyal, managing executive at the FSTC.
Several U.S. banks have taken steps on their own to strengthen authentication. With Bank of America's SiteKey, for example, a customer picks an image from a library and writes a brief phrase. Each time that person signs on, the image and phrase are displayed, indicating that the bank recognizes the computer from which the customer is signing on and letting the customer know the site really is the bank's. He or she then enters a password and proceeds.
Wells Fargo & Co., with 6.5 million online customers, plans to pilot toward the end of the year "out-of-wallet" questions—information that wouldn't be on a driver's license or ATM card—as a second factor for password enrollment and maintenance. It's also considering offering security hardware such as key fobs to select consumer customers.
In the field of biometrics, IBM has demonstrated a "cancelable" biometrics system, in which a prearranged transformation algorithm intentionally distorts a person's biometric data, such as a fingerprint, rendering the original biometrics useless for identification purposes.
Under the IBM system, when a bank enrolls a new customer, it will capture the customer's biometrics, such as a fingerprint scan, run it through the transformation algorithm, and store the new, transformed biometric records in its database. Should this information be stolen, either through a phishing attack or by hacking, the bank cancels the biometric data on file and issues a new set of data by running the transformation algorithm once again. The process can be repeated as often as needed.