Banks adding security for online accounts

December 29, 2006|By Cox News Service

ATLANTA -- When you log into bank accounts on the Internet over the next few days - if you haven't experienced it already - be prepared to go through another layer of "we-need-to-know-who-you-are."

Financial institutions of all sizes are incorporating new security authentication measures as another layer of protection against crooks' attempts to hack into legitimate bank accounts to steal money.

The deadline set by the Federal Financial Institutions Examination Council - a consortium of federal banking regulatory agencies - calls for banks to establish multi-layer authentication security protocols for customer log-ins by Dec. 31.

The recommendation follows a 2004 study by the Federal Deposit Insurance Corp. and a subsequent meeting by FFIEC officials last year that showed a rise in online attempts at identity theft.

In effect, regulators told banks the basic user ID and password weren't enough protection against fraud.

Online banking is growing at a fast clip. According to comScore Networks, a consumer behavior research firm, more than 40 million Americans bank online. That's a 27 percent increase in the fourth quarter of last year versus the fourth quarter of 2004, the most recent available figures.

The use of online bill payment services also grew - rising 36 percent - during the same period.

And though adoption rates are slowing, regulators wanted more stringent measures.

"There were enough issues out there for us to take a proactive approach for the banks to strengthen their controls in online banking," said Michael Jackson, associate director of the FDIC's technology supervision branch. Because implementation of these security technologies isn't as expensive now as a few years ago, regulators thought institutions - from the biggest banks to the smallest credit unions - could incorporate them into their online security systems.

Regulators gave banks a lot of flexibility in how to improve their online security measures, provided they satisfied the principal mandate: the level of protection had to match the risk.

That explains why different financial institutions have adopted a myriad of measures, some apparent to the consumer and others not so.

This month, Wachovia Corp. rolled out its Security Plus Project, aimed at thwarting would-be online hackers from logging in as legitimate bank customers and then taking their money.

At Wachovia, customers still enter their user IDs and their passwords, but behind the scenes, the bank is monitoring activity and weighs it against their history.

Using technology from RSA Security Inc., a Bedford, Mass.-based firm that makes software for banks and other industries to help secure information and verify identities, Wachovia gives you a risk score.

The lower your score, the greater the likelihood that it's you. If the score is high, that raises flags to the bank, alerting officials that an unauthorized user may be attempting fraud.

That would trigger a block on your account or prompt you to answer a security question with a response that only you would know, that you've already answered when setting up the account.

Things that might trigger a higher risk score: Logging in from a computer or hand-held device other than the one you normally use. Another trigger is if the IP address - the unique identifying number attached to your computer or Web-enabled device - has been connected to previous attempts of fraud.

But even as they deploy these safeguards, financial institutions are wary about making it so troublesome that it turns consumers off.

Indeed, several industry studies show that younger consumers - those younger than 34 - rank banking online as their preferred method of interaction with their financial institutions, followed by going to ATMs and then in-person banking at the branch.

But too many layers can be a turnoff for some.

"I don't find it serves a purpose," said Nakeya Johnson, a Bank of America customer.

Last year, Bank of America Corp. introduced its SiteKey feature, which allows customers to pick a picture and asks them to create a word or phrase to go with the image.

These images and phrases let the consumer know that he or she is at a legitimate bank Web site and not a scheme site because when he or she logs in, the pre-picked picture and word appears. The banks use them to verify that the computer or Web-enabled device is the one normally used to log in to the account.

"To the extent that you can deploy anti-fraud technology that is not burdensome ... the last thing you want to do is discourage business," said David Rowan, a senior vice president and head of technology risk management at Atlanta-based SunTrust Banks Inc.

Of course, wherever there's a new technology designed to thwart theft, there's a crook looking for a way around it, bankers say.

"There's always emerging new attacks by the community that's trying to break in," said Rudy Wolfs, chief information officer of Wilmington, Del.-based ING Direct, among the biggest Internet banks with 4.5 million customers and $62 billion in assets.

"We're continually changing our procedures," Wolfs said. "It's not a standstill game."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.