http://www.news-journalonline.com/NewsJournalOnline/Business/Headlines/bizBIZ03010207.htm Cox News Service January 02, 2007 ATLANTA -- Over the next few days --if you haven't experienced it already --when you log into your financial accounts through the Internet, be prepared to go through another layer of "we-need-to-know-who-you-are." Financial institutions of all sizes are incorporating new security authentication measures designed to be another layer of protection against crooks' attempts to hack into legitimate bank accounts to steal money. Last month, Wachovia Corp. rolled out its Security Plus Project, aimed at thwarting would-be online hackers from logging in as legitimate bank customers and then taking their money. The Charlotte-based financial institution's initiative, launched Dec. 8, is part of its efforts to comply with federal banking regulators' guidelines regarding security measures for customer log-ins. The deadline set by the Federal Financial Institutions Examination Council --a consortium of federal banking regulatory agencies --calls for banks to establish multilayer authentication security protocols for customer log-ins by Dec. 31. The recommendation follows a 2004 study by the Federal Deposit Insurance Corp. and a subsequent meeting by FFIEC officials last year that showed the rise in online phishing and identity theft attempts. In effect, regulators told banks the basic user ID and password weren't enough protection against fraud. Online banking is growing at a fast clip. According to comScore Networks, a consumer behavior research firm, more than 40 million Americans bank online. That's a 27 percent increase in the fourth quarter of 2005 vs. the same period in 2004, the most recent available figures. The use of online bill payment services also grew --rising 36 percent --during the same period. And though adoption rates are slowing, regulators wanted more stringent measures. "There were enough issues out there for us to take a proactive approach for the banks to strengthen their controls in online banking," said Michael Jackson, associate director of the FDIC's technology supervision branch. And since the costs of implementation of these security technologies aren't as expensive now as they had been a few years ago, regulators thought institutions -- from the biggest banks to the smallest credit unions -- could incorporate them into their online security systems. "It was an area where we thought the technology had matured enough for the institutions to strengthen their controls," Jackson said. "And we thought it was affordable." Regulators gave banks a lot of flexibility in how to beef up their online security measures, provided they satisfied the principal mandate: the level of protection had to match the risk. That explains why different financial institutions have adopted a myriad of measures, some apparent to the consumer and others not so. At Wachovia, customers still enter their user IDs and their passwords, but behind the scenes, the bank is monitoring activity and weighs it against their history. Using technology from RSA, a Bedford, Mass.-based firm that makes software for banks and other industries to help secure information and verify identities, Wachovia gives you a risk score. The lower your score, the greater the likelihood it's you. If the score is high, that raises flags to the bank, alerting officials an unauthorized user may be attempting fraud. That would trigger a block on your account or prompt you to answer a security question with a response that only you would know, that you've already answered when setting up the account. Things that might trigger a higher risk score: Logging in from a computer or hand-held device other than the one you normally use. Another trigger is if the IP address - the unique identifying number attached to your computer or web-enabled device - has been connected to previous attempts of fraud. But even as they deploy these safeguards, financial institutions are wary about making it so troublesome that it turns consumers off. Indeed, several industry studies show that younger consumers - those under 34 - rank banking online as their preferred method of interaction with their financial institutions, followed by going to the ATMs and then in-person banking at the branch. But too many layers can be a turn-off for some. "I don't find it serves a purpose," said Nakeya Johnson, a Bank of America customer. Last year, Bank of America Corp. introduced its SiteKey feature, which allows customers to pick a picture and asks them to create a word or phrase to go with the image. These images and phrases lets the consumer know that he or she is at a legitimate bank Web site and not a scam site because when he or she logs in, the pre-picked picture and word appears. The banks use them to verify that the computer or Web-enabled device is actually the one normally used to login to the account. If you logged in from another computer that the bank didn't recognize, it would prompt the Web site to ask you several questions that only you could answer before giving you access to the accounts. It's similar to approaches adopted by ING Group N.V.'s ING Direct unit and First Horizon National Corp. in their online banking operations. But Johnson, a social worker, said she checks her balances every day so she would spot any problems quickly. Having a SiteKey picture is just one more thing to memorize, she said. "You have to remember the login name and the password and now you have to remember the picture. I'm kind of indifferent about it," she said. That's something bank executives are watching closely, particularly since consumer migration to online banking has lowered the overall operational costs for financial institutions. "To the extent that you can deploy anti-fraud technology that is not burdensome ... the last thing you want to do is discourage business," said David Rowan, a senior vice president and head of technology risk management at Atlanta-based SunTrust Banks Inc. Some banks like One Georgia Bank require account holders to change their passwords every 30 days. "Sometimes people aren't used to that," said Willard "Chuck" Lewis, president and chief executive of the Atlanta-based bank. "They say, 'I didn't have to go through as much security at my other bank,' but ultimately, what it does is protect the consumer. When you explain it to folks, they feel more secure," he said. "In today's world, where you have hackers and Internet access to just about everything, it really pays to have that extra level of security." Some institutions, like E*Trade Financial Corp. give its customers the option to log into their accounts with a digital secure ID fob. The fob has a series of numbers that change at a regular intervals and those numbers have to be entered along with the user ID and password in order to obtain account access. Of course, wherever there's a new technology designed to thwart theft, there's a crook looking for a way around it, bankers say. "There's always emerging new attacks by the community that's trying to break in," said Rudy Wolfs, chief information officer of Wilmington, Del.-based ING Direct. ING Direct is among the biggest Internet banks with 4.5 million customers and $62 billion in assets. "We're continually changing our procedures," Wolfs said. "It's not a standstill game." _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 00:54:37 PST