Banks under gun to bolster online security

Federal guidance pushes industry to find safer ways to protect transactions.

Banks are scrambling to meet a year-end deadline set by federal regulators to better secure online transactions.

The Federal Financial Institutions Examination Council (FFIEC) didn't dictate specific technologies in its "Authentication in a Banking Environment" document issued last October. But the FFIEC guidance indicated that high-risk transactions - in which funds can be transferred to other parties or access given to customer information - require more than a reusable password. The FFIEC said it wants to see progress on this security front by year-end, and many banks say they're doing just that. The choices they've made are varied.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Banks are scrambling to meet a year-end deadline set by federal regulators to better secure online transactions.

The Federal Financial Institutions Examination Council (FFIEC) didn't dictate specific technologies in its "Authentication in a Banking Environment" document issued last October. But the FFIEC guidance indicated that high-risk transactions - in which funds can be transferred to other parties or access given to customer information - require more than a reusable password. The FFIEC said it wants to see progress on this security front by year-end, and many banks say they're doing just that. The choices they've made are varied.

Rudy Wolfs, CIO, ING Direct

Click to see: Rudy Wolfs, CIO, ING Direct

"After the initial log-in, we've added a PIN guard, which is an [automated teller machine]-like pad to combat keyloggers," says Rudy Wolfs, CIO at ING Direct, a savings bank with $62 billion in assets and 4.1 million customers in the United States. The PIN guard is meant to foil keyloggers, by requiring use of a mouse instead of a keyboard.

ING Direct developed its own PIN guard, but also turned to security products and services from RSA Security that include a way to present random questions during the logon process that can be answered by legitimate users. ING Direct also uses a software token to profile a user's machine for security purposes (a method known as device identification), and an antiphishing and fraud-detection service that rates online account use according to several risk factors.