CONSUMER NEWS RECALLS COMPLAINT FORM SCAM ALERTS

Small Claims Guide \| Class Actions \| Lemon Law \| FAQ \| Resources \| Newsletters \| Spanish
Automotive Education Electronics Family Finance Health Homeowners Shopping Travel

FDIC: Banks Must Improve Online Security

By Martin H. Bosworth
ConsumerAffairs.com

October 25, 2005

Online Banking

• ChexSystems Gets Into Online Banking
• FDIC: Banks Must Improve Online Security
• Analyst: Banks Make It Easy For Cyber-Thieves
• Consumers Losing Confidence in Online Commerce, Banking
• More on this topic ...

Banks and financial institutions are beginning to respond to warnings that their online transaction systems provide inadequate security. E-Trade and Bank of America have recently instituted new security measures and other institutions are expected to follow.

In a report earlier this month, the Federal Deposit Insurance Corporation (FDIC) warned that security measures were generally inadequate. The report advocated using more than one type of security authentication -- known as "single-factor" -- to verify a customer's identity before granting them access to their accounts online.

Among the report's recommendations:

• Banks need to implement higher levels of security and authentication for "high risk" transactions, "involving access to customer information or the movement of funds to other parties."

• Bank customers need more education and awareness of security risks and procedures in order to use online banking effectively.

• Banks should employ a combination of authentication systems, such as passwords and biometric readers, or PINs and longer passwords, rather than relying on any "single" factor to validate a customer's identity.

The report mandated that banks implement a "risk assessment" system to determine which transactions require more than one factor of authentication, and to "implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." The report instituted a timeline for banks to improve their security through 2006.

The FDIC did not endorse any one specific way banks should improve their security, which gives many security companies the opportunities to hawk their products as the key to improving the safety of online banking.

E-Trade Financial is implementing a "token" system, using small keychain-sized cards that generate random passwords every sixty seconds, for users of its online banking system. Other banks are experimenting with biometric fingerprint readers, smart card readers, and so on.

Bank of America is in the process of deploying its new "SiteKey" system nationwide. The "SiteKey" system adds a special "challenge" question to identify users logging in to an account from a computer other than their own, and adds a special icon or image that users can choose in order to verify that they are visiting the actual Bank of America site.

The SiteKey system has been implemented throughout much of the country, but full deployment of the system has been delayed until 2006, according to Bank of America.

Critics of the new security techniques say that while they may be able to improve identification from the user's side, they don't solve the problem of inadequate security procedures on the bank's side of the transaction.

The biggest threat to online banking is that many banks are actively getting rid of basic security measures in an effort to provide faster service to their customers. Several major banks, including Bank of America, Chase, and Wachovia, have removed Secure Socket Layer (SSL) pages from their online logins. The unsecured logins will instead take users to a separate, SSL-enabled page.

SSL encryption can be identified by the page address beginning with "https" rather than "http," and by the familiar "lock" icon that displays in a user's Web browser. Web pages that do not use this encryption can be more easily "hijacked" by phishers, pharmers, and other online fraudsters.

Unwitting customers can click on a site thinking it's legitimate, and be taken to a site that resembles the one they want, but is controlled by phishers looking to steal their personal data.

Both the Federal Trade Commission (FTC) and the Anti-Phishing Working Group have issued warnings against performing online transactions on Web pages that don't have SSL enabled.

According to Rich Miller, author of the Netcraft technology site's news blog, "In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

July 5 2008

Print, mail, etc.

FREE CONSUMER NEWSLETTERS

The Daily Consumer
Afternoons M-F
Sign up now!

Consumer News & Alerts
Every Sunday
Sign up now!

Knowledge is free.
Knowledge is power.

Back to the top |

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.