Regulators to bankers: Tighten up online security

Federal regulators last week issued new Internet banking standards that will require adoption of stronger authentication methods by the end of next year.

The Federal Financial Institutions Examination Council (FFIEC ) said the industry needs to adopt more than just single-factor authentication for online banking in order "to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions." Government auditors are expected to begin evaluating banks for compliance to the new guidelines in 2007.

The FFIEC, which includes the Federal Reserve System, the Federal Deposit Insurance Corp. and the National Credit Union Administration, says it considers single-factor authentication alone "to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Federal regulators last week issued new Internet banking standards that will require adoption of stronger authentication methods by the end of next year.

The Federal Financial Institutions Examination Council (FFIEC ) said the industry needs to adopt more than just single-factor authentication for online banking in order "to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions." Government auditors are expected to begin evaluating banks for compliance to the new guidelines in 2007.

The FFIEC, which includes the Federal Reserve System, the Federal Deposit Insurance Corp. and the National Credit Union Administration, says it considers single-factor authentication alone "to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

In security parlance, factors are considered to be something you know, such as a password; something you have, such as a hardware token; and something you are, such as the unique print of your finger or the iris of your eye.

The FFIEC guidance lists a variety of factor possibilities, including USB token hardware, smart cards, password-generating tokens, as well as an assortment of biometrics. The FFIEC says it doesn't favor any particular method.

Banks and credit unions are starting to adopt stronger authentication, but are far from handing out tokens and capturing fingerprints and facial scans.

Bank of America, for example, is close to completing its nationwide rollout of SiteKey, based on technology from Passmark Security, which asks the online customer to select an image and personal phrases to share in challenge-and-response fashion. This validates the bank's Web site is real and is an extra measure of security if a customer's ID and password are stolen.

"At first we considered it an option for customers but now we've decided to make it a requirement," says Sanjay Gupta, e-commerce executive at Bank of America. "We want our customers to have strong protection."

But few banks have adopted hardware tokens or biometrics for widespread use in Internet banking.

U.S. Bancorp uses VeriSign's tokens in its high-end commercial banking operations. Tokens are in more prevalent use among European banks, such as Credit Suisse Group and Netherlands-based bank Rabba.

"Banks are already moving beyond just passwords for consumer confidence," says Gartner analyst Avivah Litan. "But the last thing banks want to do is provision tokens and biometrics." Cost is the primary inhibitor, she says.

There are also concerns that consumers may object to using tokens. A Gartner survey of consumers earlier this year found hardware tokens to be an unpopular idea.

However, some banks are forging ahead with distribution of security tokens. American Bank, which has about $527 million in assets and 20,000 customers, this July began offering the RSA SecurID token for generating one-time passwords to online banking customers.