To Keep Consumer Trust, Try Tokens And Smart Cards

Banks and other financial institutions should adopt stronger authentication measures like security tokens and smart cards if they want to increase customer satisfaction with Internet banking, industry analysts said this week.

A panel of security advisors from Yankee Group, TowerGroup, and Gartner laid out their recommendations on Tuesday as a precursor to the RSA Security Conference in San Francisco next week.

While actual losses associated with ID theft have dropped by 12% in recent months, and banks are quick to refund consumers for any losses due to identity theft, financial institutions should continue to find ways of making their clients at least "feel safe."

"Perception is very important," says George Tubin, senior analyst with TowerGroup. "We've already seen the rise of financial fraud via e-mail pushing people back to using physical channels instead of Internet channels.

One failure of e-mail marketing, for example, is due to the barrage of phishing scams and other chicanery that dupe consumers into giving away their bank account information, passwords, and private data, Tubin said.

Most banks and financial firms have implemented some measures to mitigate online financial fraud but still more must be done, according to Ray Wagner, a managing VP at analyst firm Gartner. Associated technologies to safeguard a bank's or financial institution's reputation should be based on access control systems such as strong authentications, tokens, and smart cards, Wagner noted. Standardizing Web services and federated authentications between different companies are also advised.

"Surveys tell us that consumers are asking for open authentication platforms," Wagner says. "They don't want to be limited to one device. Consumers want several options and they want to be able to authenticate it themselves."

When it comes to corporate data theft, Wagner notes that software that could instantly authenticate a laptop, PC or server when it is attached to a network could provide an instantaneous "health check."

"The policy for network access control should be related to identity policy," he says.

Such policies could have prevented an attack against TJX's IT systems that resulted in the theft of TJX customer information late last year. The highly publicized incident involved millions of card accounts across all major payment brands accepted by TJX.

"It's important for consumers and small businesses to continue to use online services and Internet banking. Too many bad experiences put a bad taste in their mouth," Tubin said.

Part of the problem, according to the analysts, is that the architects of online attacks are better equipped than professional virus protection companies.

"Online criminals are more adept at trading information," says Andrew Jaquith, a program manager Yankee Group. Raw materials used in creating malware, Trojan Horses, and other online attacks also are free, he noted. "They have found the weak knee on the quarterback and they have gone after it."

The RSA show is expected to pull in about 15,000 attendees, security and anti-virus experts and companies. Marquee keynotes at this year's event include Bill Gates and former Secretary of State Colin Powell.