[ISN] Financial institutions tighten security measures

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 00:37:25 PST


Cox News Service
January 02, 2007

ATLANTA -- Over the next few days --if you haven't experienced it 
already --when you log into your financial accounts through the 
Internet, be prepared to go through another layer of 

Financial institutions of all sizes are incorporating new security 
authentication measures designed to be another layer of protection 
against crooks' attempts to hack into legitimate bank accounts to steal 

Last month, Wachovia Corp. rolled out its Security Plus Project, aimed 
at thwarting would-be online hackers from logging in as legitimate bank 
customers and then taking their money.

The Charlotte-based financial institution's initiative, launched Dec. 8, 
is part of its efforts to comply with federal banking regulators' 
guidelines regarding security measures for customer log-ins.

The deadline set by the Federal Financial Institutions Examination 
Council --a consortium of federal banking regulatory agencies --calls 
for banks to establish multilayer authentication security protocols for 
customer log-ins by Dec. 31.

The recommendation follows a 2004 study by the Federal Deposit Insurance 
Corp. and a subsequent meeting by FFIEC officials last year that showed 
the rise in online phishing and identity theft attempts. In effect, 
regulators told banks the basic user ID and password weren't enough 
protection against fraud.

Online banking is growing at a fast clip. According to comScore 
Networks, a consumer behavior research firm, more than 40 million 
Americans bank online. That's a 27 percent increase in the fourth 
quarter of 2005 vs. the same period in 2004, the most recent available 

The use of online bill payment services also grew --rising 36 percent 
--during the same period. And though adoption rates are slowing, 
regulators wanted more stringent measures.

"There were enough issues out there for us to take a proactive approach 
for the banks to strengthen their controls in online banking," said 
Michael Jackson, associate director of the FDIC's technology supervision 

And since the costs of implementation of these security technologies 
aren't as expensive now as they had been a few years ago, regulators 
thought institutions -- from the biggest banks to the smallest credit 
unions -- could incorporate them into their online security systems.

"It was an area where we thought the technology had matured enough for 
the institutions to strengthen their controls," Jackson said. "And we 
thought it was affordable."

Regulators gave banks a lot of flexibility in how to beef up their 
online security measures, provided they satisfied the principal mandate: 
the level of protection had to match the risk.

That explains why different financial institutions have adopted a myriad 
of measures, some apparent to the consumer and others not so.

At Wachovia, customers still enter their user IDs and their passwords, 
but behind the scenes, the bank is monitoring activity and weighs it 
against their history.

Using technology from RSA, a Bedford, Mass.-based firm that makes 
software for banks and other industries to help secure information and 
verify identities, Wachovia gives you a risk score.

The lower your score, the greater the likelihood it's you. If the score 
is high, that raises flags to the bank, alerting officials an 
unauthorized user may be attempting fraud.

That would trigger a block on your account or prompt you to answer a 
security question with a response that only you would know, that you've 
already answered when setting up the account.

Things that might trigger a higher risk score: Logging in from a 
computer or hand-held device other than the one you normally use. 
Another trigger is if the IP address - the unique identifying number 
attached to your computer or web-enabled device - has been connected to 
previous attempts of fraud.

But even as they deploy these safeguards, financial institutions are 
wary about making it so troublesome that it turns consumers off.

Indeed, several industry studies show that younger consumers - those 
under 34 - rank banking online as their preferred method of interaction 
with their financial institutions, followed by going to the ATMs and 
then in-person banking at the branch.

But too many layers can be a turn-off for some.

"I don't find it serves a purpose," said Nakeya Johnson, a Bank of 
America customer.

Last year, Bank of America Corp. introduced its SiteKey feature, which 
allows customers to pick a picture and asks them to create a word or 
phrase to go with the image.

These images and phrases lets the consumer know that he or she is at a 
legitimate bank Web site and not a scam site because when he or she logs 
in, the pre-picked picture and word appears. The banks use them to 
verify that the computer or Web-enabled device is actually the one 
normally used to login to the account.

If you logged in from another computer that the bank didn't recognize, 
it would prompt the Web site to ask you several questions that only you 
could answer before giving you access to the accounts.

It's similar to approaches adopted by ING Group N.V.'s ING Direct unit 
and First Horizon National Corp. in their online banking operations.

But Johnson, a social worker, said she checks her balances every day so 
she would spot any problems quickly.

Having a SiteKey picture is just one more thing to memorize, she said.

"You have to remember the login name and the password and now you have 
to remember the picture. I'm kind of indifferent about it," she said.

That's something bank executives are watching closely, particularly 
since consumer migration to online banking has lowered the overall 
operational costs for financial institutions.

"To the extent that you can deploy anti-fraud technology that is not 
burdensome ... the last thing you want to do is discourage business," 
said David Rowan, a senior vice president and head of technology risk 
management at Atlanta-based SunTrust Banks Inc.

Some banks like One Georgia Bank require account holders to change their 
passwords every 30 days.

"Sometimes people aren't used to that," said Willard "Chuck" Lewis, 
president and chief executive of the Atlanta-based bank. "They say, 'I 
didn't have to go through as much security at my other bank,' but 
ultimately, what it does is protect the consumer. When you explain it to 
folks, they feel more secure," he said. "In today's world, where you 
have hackers and Internet access to just about everything, it really 
pays to have that extra level of security."

Some institutions, like E*Trade Financial Corp. give its customers the 
option to log into their accounts with a digital secure ID fob. The fob 
has a series of numbers that change at a regular intervals and those 
numbers have to be entered along with the user ID and password in order 
to obtain account access.

Of course, wherever there's a new technology designed to thwart theft, 
there's a crook looking for a way around it, bankers say.

"There's always emerging new attacks by the community that's trying to 
break in," said Rudy Wolfs, chief information officer of Wilmington, 
Del.-based ING Direct.

ING Direct is among the biggest Internet banks with 4.5 million 
customers and $62 billion in assets.

"We're continually changing our procedures," Wolfs said. "It's not a 
standstill game."

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 00:54:37 PST