Banks and financial institutions are beginning to respond to warnings that their online transaction systems provide inadequate security. E-Trade and Bank of America have recently instituted new security measures and other institutions are expected to follow.
In a report earlier this month, the Federal Deposit Insurance Corporation (FDIC) warned that security measures were generally inadequate. The report advocated using more than one type of security authentication -- known as "single-factor" -- to verify a customer's identity before granting them access to their accounts online.
Among the report's recommendations:
• Banks need to implement higher levels of security and authentication
for "high risk" transactions, "involving access to customer
information or the movement of funds to other parties."
• Bank customers need more education and awareness of security risks
and procedures in order to use online banking effectively.
The report mandated that banks implement a "risk assessment" system to determine which transactions require more than one factor of authentication, and to "implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." The report instituted a timeline for banks to improve their security through 2006.
The FDIC did not endorse any one specific way banks should improve their security, which gives many security companies the opportunities to hawk their products as the key to improving the safety of online banking.
E-Trade Financial is implementing a "token" system, using small keychain-sized cards that generate random passwords every sixty seconds, for users of its online banking system. Other banks are experimenting with biometric fingerprint readers, smart card readers, and so on.
Bank of America is in the process of deploying its new "SiteKey" system nationwide. The "SiteKey" system adds a special "challenge" question to identify users logging in to an account from a computer other than their own, and adds a special icon or image that users can choose in order to verify that they are visiting the actual Bank of America site.
The SiteKey system has been implemented throughout much of the country, but full deployment of the system has been delayed until 2006, according to Bank of America.
Critics of the new security techniques say that while they may be able to improve identification from the user's side, they don't solve the problem of inadequate security procedures on the bank's side of the transaction.
The biggest threat to online banking is that many banks are actively getting rid of basic security measures in an effort to provide faster service to their customers. Several major banks, including Bank of America, Chase, and Wachovia, have removed Secure Socket Layer (SSL) pages from their online logins. The unsecured logins will instead take users to a separate, SSL-enabled page.
SSL encryption can be identified by the page address beginning with "https" rather than "http," and by the familiar "lock" icon that displays in a user's Web browser. Web pages that do not use this encryption can be more easily "hijacked" by phishers, pharmers, and other online fraudsters.
Unwitting customers can click on a site thinking it's legitimate, and be taken to a site that resembles the one they want, but is controlled by phishers looking to steal their personal data.
Both the Federal Trade Commission (FTC) and the Anti-Phishing Working Group have issued warnings against performing online transactions on Web pages that don't have SSL enabled.
According to Rich Miller, author of the Netcraft technology site's news blog, "In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit."
