By BRIAN BERGSTEIN
October 30, 2005
BOSTON (AP) - If you do banking over the Internet, generally the drill
is pretty simple: You enter your user name and password, and away you
go. But behind the scenes, the bank can do a lot to check you out: Are
you at your home computer, or at one with an Internet address that,
strangely, is registered overseas? Are you logging on at an unusual
time of day, or from a super-fast connection when normally you have
This kind of analysis is one example of the layers that bank Web sites
will be adding by the end of 2006 to meet new demands from federal
regulators for "two-factor" authentication. That essentially means
checking something more than just user name and password to verify a
"Phishers" and other Internet fraud artists have become adept at
stealing passwords, mainly through "social engineering." Preying on
people's propensity to believe something seemingly authoritative,
criminals send authentic-looking e-mails that send unsuspecting people
to an authentic-looking Web site where they give away their data.
Many banks overseas, where data-privacy laws are stronger, already
have deployed a second level of authentication. They give customers
specialized hardware, such as a "smart card" or an electronic token
that displays a changing series of passcodes.
Cost-conscious U.S. banks are unlikely to go as far. Instead, they'll
probably perform tweaks inside their own Web servers that most of us
will barely notice.
"We're trying to come up with something here that's very
user-friendly," said Jim Maloney, chief security executive of
Corillian Corp., a Web-banking services company that offers
If the software raises red flags about a user's profile - because,
say, he one day logs in from Denmark instead of Denver - the bank can
confirm his identity by asking a series of questions that only he is
likely to know, such as the amount of his last mortgage payment, or
the street he grew up on.
That kind of fraud detection has long existed on credit cards, and the
fact that Web banking has yet to widely deploy it says a lot about the
state of the industry.
Although identity theft and other financial fraud have garnered a lot
of attention and are believed to be getting more sophisticated, banks
have been reluctant to do anything to increase the cost and complexity
of their Web sites.
After all, the Internet is supposed to be banks' low-cost platform,
cheaper than having customers deal with tellers or ring up the help
desk. The efficiencies of self-service Web banking likely have
outweighed the costs of fraud, which some estimates have placed as low
as $137 million worldwide in 2004.
"Right now banks don't have that much security around checking
accounts," said Avivah Litan, an analyst with the Gartner research
firm. "Generally speaking, their losses are pretty tolerable."
However, on Oct. 12, the Federal Financial Institutions Examination
Council, an umbrella group of U.S. regulators including the Federal
Reserve and the Federal Deposit Insurance Corp., told banks to
strengthen their online authentication by the end of 2006. Auditors
will examine those efforts in regular inspections.
The policy was widely interpreted as a boost for security providers,
who are tired of seeing banks kick the tires of two-factor
authentication services but generally not buy.
According to a June report from the FDIC, a handful of U.S. banks had
given customers tokens with passcodes that change every minute. The
codes are generated by an algorithm programmed into the token and
confirmed on a central authenticating server, making the password
impossible to guess.
But tokens create their own headaches. They're relatively costly to
deploy and can prompt lots of calls to customer service if they're
lost or temporarily out of reach. Banks also fear a "necklace"
scenario in which customers end up collecting an annoying strand of
tokens from all the companies they do business with online.
Even one token might be seen as a hassle.
After ETrade Financial Corp. began offering tokens from RSA Security
Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost
all those people could get the gadgets for free because they were
frequent traders or had more than $50,000 in their accounts; everyone
else had to pay $25.
One-time passwords can be given out in less expensive ways. They can
be beamed to a cell phone or handheld computer, or mailed to customers
on scratch-off cards.
But security experts warn that one-time passwords can be stolen in a
"man-in-the-middle" attack, in which a con artist harvests a victim's
code on a phony Web site and instantly relays it to the real bank,
then conducts transactions in her name. Such frauds are rare - if they
happen at all - but that's partly because there are so many easier
targets, for now.
Token vendors point out that their devices can be set to foil men in
the middle by generating additional codes for each individual
transaction. Still, there are enough knocks against hardware-based
solutions that most banks will take softer steps to meet the
In one approach, encrypted electronic "certificates" could be issued
that users would store in a small file on their computers. These
certificates would confirm to the bank that the user is bona fide. In
turn, a properly encrypted certificate would not respond to a Web site
other than the one that issued it - protecting the user as well as the
Banks also might ask customers to enter passwords on drop-down menus
or "scrambled PIN pads," in which an on-screen display indicates
letters that correspond to the numbers in the PIN. That code changes
Those techniques are designed to throw off Trojan horses and
keystroke-logging programs that aim to steal passwords by registering
everything a victim types. Web bank ING Direct, part of Holland's ING
Groep NV, recently added a scrambled PIN pad to its site.
Another software-based approach is Bank of America's SiteKey service.
The bank's Web page shows each user a personally chosen picture and
caption at the beginning of each banking session, and asks randomly
chosen "secret questions" that users have set up in advance.
However, even this kind of approach could be flawed unless many users
are better educated about the constant arms race between Web sites and
criminals. Social engineering, not technology, often is the real
Richard M. Smith, an Internet security consultant behind
ComputerBytesMan.com, says he expects phishers will send
legitimate-seeming messages to dupe people into believing, for
example, that their SiteKey picture had to be changed.
"I think people would still fall for this kind of trick," he said.
"The key thing to remember is that phishers are very adaptable, and
they will make changes to their operation when security technology is
upgraded and becomes popular."
On the Net:
FDIC report on bank security:
InfoSec News v2.0 - Coming Soon!