Federal regulators have outlined several ways in which financial institutions can keep financial data and account access more secure on the Internet.
The Federal Financial Institutions Examination Council released new security guidance for Internet banking last week. The guidance will replace Authentication in an Electronic Banking Environment issued in 2001.
The council states that single-factor authentication is behind much of the identity theft and account fraud reported in the past several years. Banks will be required to have a two-tiered approach to security by next year. The council did not endorse technology, but it did outline several methods for improving authentication.
"Since 2001, there have been significant legal and technological changes with respect to the protection of customer information; increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies," the FFIEC wrote in a statement released last week. "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
Drawing from FDIC studies from December 2004 and June 2005, the council points to USB tokens the size of a house key coupled with a password as one example of multi-layered protection for customer access. The documents states that the devices are difficult to duplicate, tamper resistant and can store digital certificates for use in public key infrastructure environments. They describe the tokens as user-friendly, easy to carry and relatively simple to implement.
Electronic tokens that generate one-time passwords can fail because of abuse or defects. Non-hardware-based one-time password scratch cards, with numbers inside of a grid are listed in the council documents as a low-cost and easy if low-tech method. Web sites could direct users to a particular cell and request the number inside.
Smart cards with microprocessors can support robust authentication schemes and are almost as convenient as tokens -- except they would require consumers to install hardware and software at home.
In comparing biometrics, the documents focus more on ease and reliability of fingerprint recognition than any other method, though scanners would need to be installed on participating computers.
Out-of-band authentication, using a predetermined word or phrase is already in existence for commercial banking and brokerage houses. It is mentioned as another option for individual users.
The report states that most financial institutions do not authenticate their Web sites to users, although doing so adds a layer of protection against phishing attacks.
Geo-Location, using IPAs, the time it takes for information to travel through electronic pathways could be used to authenticate cyber distances but may not be suitable for wireless networks, according to the documents. Assigning individual IPA addresses is mentioned as a possibility though an unlikely one.
The guidance, which sites Patriot Act reporting requirements, also suggests customer verification techniques. They include, requesting that customers open accounts in person; making sure telephone numbers, area codes, zip codes and street addresses match; checking data for previous associations with fraudulent activity; and using a third-party database to match answers to detailed questions.
In a recent news release, the council stated: "An effective authentication system is necessary for financial institutions’ compliance with requirements to safeguard customer information; to prevent money laundering and terrorist financing; to reduce fraud and the theft of sensitive customer information, often the precursor to identity theft; and to promote legal enforceability of financial institutions’ electronic agreements and transactions."