From: InfoSec News (alertsinfosecnews.org)
Date: Tue Jan 02 2007 - 02:37:25 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.news-journalonline.com/NewsJournalOnline/Business/Headlines/bizBIZ03010207.htm

Cox News Service
January 02, 2007

ATLANTA -- Over the next few days --if you haven't experienced it
already --when you log into your financial accounts through the
Internet, be prepared to go through another layer of
"we-need-to-know-who-you-are."

Financial institutions of all sizes are incorporating new security
authentication measures designed to be another layer of protection
against crooks' attempts to hack into legitimate bank accounts to steal
money.

Last month, Wachovia Corp. rolled out its Security Plus Project, aimed
at thwarting would-be online hackers from logging in as legitimate bank
customers and then taking their money.

The Charlotte-based financial institution's initiative, launched Dec. 8,
is part of its efforts to comply with federal banking regulators'
guidelines regarding security measures for customer log-ins.

The deadline set by the Federal Financial Institutions Examination
Council --a consortium of federal banking regulatory agencies --calls
for banks to establish multilayer authentication security protocols for
customer log-ins by Dec. 31.

The recommendation follows a 2004 study by the Federal Deposit Insurance
Corp. and a subsequent meeting by FFIEC officials last year that showed
the rise in online phishing and identity theft attempts. In effect,
regulators told banks the basic user ID and password weren't enough
protection against fraud.

Online banking is growing at a fast clip. According to comScore
Networks, a consumer behavior research firm, more than 40 million
Americans bank online. That's a 27 percent increase in the fourth
quarter of 2005 vs. the same period in 2004, the most recent available
figures.

The use of online bill payment services also grew --rising 36 percent
--during the same period. And though adoption rates are slowing,
regulators wanted more stringent measures.

"There were enough issues out there for us to take a proactive approach
for the banks to strengthen their controls in online banking," said
Michael Jackson, associate director of the FDIC's technology supervision
branch.

And since the costs of implementation of these security technologies
aren't as expensive now as they had been a few years ago, regulators
thought institutions -- from the biggest banks to the smallest credit
unions -- could incorporate them into their online security systems.

"It was an area where we thought the technology had matured enough for
the institutions to strengthen their controls," Jackson said. "And we
thought it was affordable."

Regulators gave banks a lot of flexibility in how to beef up their
online security measures, provided they satisfied the principal mandate:
the level of protection had to match the risk.

That explains why different financial institutions have adopted a myriad
of measures, some apparent to the consumer and others not so.

At Wachovia, customers still enter their user IDs and their passwords,
but behind the scenes, the bank is monitoring activity and weighs it
against their history.

Using technology from RSA, a Bedford, Mass.-based firm that makes
software for banks and other industries to help secure information and
verify identities, Wachovia gives you a risk score.

The lower your score, the greater the likelihood it's you. If the score
is high, that raises flags to the bank, alerting officials an
unauthorized user may be attempting fraud.

That would trigger a block on your account or prompt you to answer a
security question with a response that only you would know, that you've
already answered when setting up the account.

Things that might trigger a higher risk score: Logging in from a
computer or hand-held device other than the one you normally use.
Another trigger is if the IP address - the unique identifying number
attached to your computer or web-enabled device - has been connected to
previous attempts of fraud.

But even as they deploy these safeguards, financial institutions are
wary about making it so troublesome that it turns consumers off.

Indeed, several industry studies show that younger consumers - those
under 34 - rank banking online as their preferred method of interaction
with their financial institutions, followed by going to the ATMs and
then in-person banking at the branch.

But too many layers can be a turn-off for some.

"I don't find it serves a purpose," said Nakeya Johnson, a Bank of
America customer.

Last year, Bank of America Corp. introduced its SiteKey feature, which
allows customers to pick a picture and asks them to create a word or
phrase to go with the image.

These images and phrases lets the consumer know that he or she is at a
legitimate bank Web site and not a scam site because when he or she logs
in, the pre-picked picture and word appears. The banks use them to
verify that the computer or Web-enabled device is actually the one
normally used to login to the account.

If you logged in from another computer that the bank didn't recognize,
it would prompt the Web site to ask you several questions that only you
could answer before giving you access to the accounts.

It's similar to approaches adopted by ING Group N.V.'s ING Direct unit
and First Horizon National Corp. in their online banking operations.

But Johnson, a social worker, said she checks her balances every day so
she would spot any problems quickly.

Having a SiteKey picture is just one more thing to memorize, she said.

"You have to remember the login name and the password and now you have
to remember the picture. I'm kind of indifferent about it," she said.

That's something bank executives are watching closely, particularly
since consumer migration to online banking has lowered the overall
operational costs for financial institutions.

"To the extent that you can deploy anti-fraud technology that is not
burdensome ... the last thing you want to do is discourage business,"
said David Rowan, a senior vice president and head of technology risk
management at Atlanta-based SunTrust Banks Inc.

Some banks like One Georgia Bank require account holders to change their
passwords every 30 days.

"Sometimes people aren't used to that," said Willard "Chuck" Lewis,
president and chief executive of the Atlanta-based bank. "They say, 'I
didn't have to go through as much security at my other bank,' but
ultimately, what it does is protect the consumer. When you explain it to
folks, they feel more secure," he said. "In today's world, where you
have hackers and Internet access to just about everything, it really
pays to have that extra level of security."

Some institutions, like E*Trade Financial Corp. give its customers the
option to log into their accounts with a digital secure ID fob. The fob
has a series of numbers that change at a regular intervals and those
numbers have to be entered along with the user ID and password in order
to obtain account access.

Of course, wherever there's a new technology designed to thwart theft,
there's a crook looking for a way around it, bankers say.

"There's always emerging new attacks by the community that's trying to
break in," said Rudy Wolfs, chief information officer of Wilmington,
Del.-based ING Direct.

ING Direct is among the biggest Internet banks with 4.5 million
customers and $62 billion in assets.

"We're continually changing our procedures," Wolfs said. "It's not a
standstill game."

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]