In March 2005, E*Trade Financial publicly launched a two-factor authentication service it had been piloting since November. This step represents one of the first instances in the United States of a financial services provider making two-factor authentication available to mass market consumers. Several other major consumer financial services providers are currently either developing or piloting such programs, but, at this point, most financial services providers have no plans to offer mass-market consumers two-factor authentication.
The key issue E*Trade has addressed is login security, both a critical issue and an excellent microcosm in which the larger issues of security are played out. When it comes to login security, providers across the financial services industry are falling short in protecting online consumers. Generally, providers can't agree on what effective security involves. There is a lack of standards, and some providers, such as E*Trade, are leading the way to providing stronger online security. But whether providers continue to roll out login security initiatives on their own, or gradually agree on industry-wide standards, educated skepticism among both providers and their customers will remain the most useful deterrent to online fraud.
First, let's examine where financial services providers are falling short in login security. As part of its upcoming Credit Card Scorecard, Watchfire GómezPro determined that eleven out of sixteen issuers tested allow transmission of account access passwords at lower than 128-bit encryption. Of the 30 banks on the Q4 2004 Banker Scorecard, 11 don't require passwords of at least six characters in length and contain both letters and numbers. Additionally, at least one bank allows passwords that are only four digits long.
These banks are falling short of industry security best practices, but their examples also illustrate our next point: the disagreement in the industry over what effective security entails. For instance, a fundamental disagreement has arisen among super-regional banks involving the placement of login fields on homepages. Several super-regional banks had rolled out homepage login boxes as a user convenience. When we broached the idea with another super-regional bank, they explained the reason it had held off was because it did not want to secure the entire homepage.
Watchfire GómezPro analysts pointed out that the other banks had managed to roll out the feature without securing the entire homepage. To this seemingly recalcitrant bank, that was not a viable solution, as the bank wanted consumers to always look for a secure URL in the address bar and a VeriSign or similar seal on the page when entering their login credentials. Over 20 percent of U.S. retail deposits are held at banks that apparently disagree with this bank's view. Alternatively, Fidelity Investments, one of the largest investment services providers, made a point of securing its entire homepage, which includes login fields. After studying the issue, Watchfire GómezPro recommends that financial services providers should secure every page where login fields appear, but has also concluded there simply is no consensus in the industry.
Some providers are not waiting for consensus to build in login security. E*Trade's introduction of token-based authentication enhances both the intrinsic security of E*Trade's offering and the firms' public profile amid consumer concern around phishing and other online-related security threats.
But E*Trade's rollout of token authentication leads to the persistent truth of login security and of online security in general: Any security precaution introduced by a financial services provider as a way to build consumer trust can cause further trouble if consumers, or their providers, take a security enhancement as a sign they can let down their guard. While it represents a significant added protection for customers, E*Trade's new service is no exception to this principle. With certain additional restrictions on access absent, a phishing attack might succeed by directing the holder of a password token to a rogue site that asks for the username, permanent password and temporary password. The user, comforted by the security of a token, may not think twice about entering this information. On the back end, the phisher manually or automatically relays this information to the financial services site, gleaning information useful to appropriating the user's identity to use or to sell. Though the phisher will be unable to log back into the site, the damage has been done.
This scenario relies on the user not distinguishing between the threat of giving up account access and what unauthorized account access typically leads to -- the theft of personal information that will be used in fraudulent ways. While we all hope consumers given a new security tool would maintain a level of skepticism about who they give their information to, such hasn't even been the case for financial services providers themselves, some of whom have been relying on security measures in ways they shouldn't. For example, while software to spoof commercial-grade caller ID recognition software is now widely available, at least one credit card issuer is still authenticating callers on the basis of the phone number from which they call.
There are practical best practices in login security, such as mandatory encryption levels and tight requirements for password strings. Surprisingly, some firms still are not following them. There is still disagreement about what is effective, but there are many firms willing to try out new technologies. Eventually, login security will become more standardized. But educated skepticism remains the strongest weapon both financial services providers and their customers can wield in their efforts to avoid fraud.