BAI Publications
 
Wednesday, December 3, 2008   
 E-mail This Page   
 Contents
SPECIAL REPORT: RETAIL DELIVERY II
Give The Customers What They Want (and in most cases, it’s not a relationship)
5 Who Fight to Win On the Front Lines
.......................................
FEATURE ARTICLES
What Lengths Will Customers Go To Protect Their Online Accounts?
Decoding The Value In Payments Data
.......................................
Customers and Their Checks
Check Images: To Share or To Exchange
ARC: Billers Like It; Bankers Have Their Doubts
.......................................
Taking The 5 First Steps To Enhancing Security With Date Auditing
.......................................
DEPARTMENTS
On Retail Banking
Guest Spot
Index to Advertisers
.......................................
BAI Online
About Banking Strategies
November/December 2005 Table of Contents
ACCESS PAST ISSUES

Search archived issues of BAI Banking Strategies.
Search now. >>

 

 

What Lengths Will Customers Go To To Protect Their Online Accounts?

BY KAREN EPPER HOFFMAN

The Days Of The Password Being The Only Thing That Stands Between The Customer And His Account Are Over. Several New Authentication Technologies Are Available, And Finalcial Institutions Are Exploring Their Effectiveness, Practicality And Cost. How Much Inconvenience Will The Customer Accept?

| SYNOPSIS | Financial firms are responding to well — publicized security breaches and regulatory recommendations, as well as customer concern, by adopting forms of authentication that go far beyond basic password entry. Solutions include a two-way picture-based system that verifies both customer identity and Web site authenticity, passcode-generating key fobs, biometrics, challenge questions and software that detects fraud based on computer log-in or activity. Banks weigh the effectiveness, practicality and cost of various approaches.

Stung by a string of high-profile phishing and spoofing attacks, financial institutions are increasingly employing stronger forms of authentication to better validate their customers. Banks are recognizing they need to offer more than just conventional password security to protect their customers' accounts, especially online.

"Bank customers have to assume that their user name and password are going to be compromised," says George Tubin, senior analyst for TowerGroup of Needham, Mass. "We have to move forward assuming that it's going to get stolen." Indeed, the Federal Deposit Insurance Corp. (FDIC) recommended in a December 2004 report that financial institutions should consider upgrading password-based systems and using more sophisticated software to detect suspicious account activity.

There are now several different authentication technologies on the market, such as tokens, biometrics and picture-based systems. The complexity and "factor" levels of these systems can vary. Authentication is based on the idea that a person can prove their identity by offering something tangible (e.g., a card or a license), something they know (e.g., a PIN code or a password) or something unique about them personally (e.g., a fingerprint or retina scan).

Providing one of these proofs is considered one-factor authentication. Confirming an identity using two of these methods is two-factor authentication.


Financial service executives today are reportedly wrestling with the inevitable tradeoff between the effectiveness of an authentication scheme in protecting a customer account and the customer's acceptance of the controls in place. A security system can be so robust that customers find it overly difficult or cumbersome to use. How much hassle are customers willing to accept to access their financial accounts? The world's best authentication system will be worthless if customers won't use it.

In assessing the various systems, executives seek to balance security with usability. The hope, experts say, is to find that happy medium. Just as no two financial institutions are exactly alike, no single means of authentication will likely fit the bill for every bank. Certain technologies are appropriate for certain customer bases or certain customer segments.

The Trouble with Passwords

Financial institutions have long valued the need for effective authentication. The traditional password protection system seemed to work until a couple of years ago, when the industry was subject to a surge of "phishing" and "spoofing" attacks. (Phishing is when hackers e-mail consumers pretending to be a legitimate company in order to elicit personal or financial information; spoofing involves fake Web sites that imitate a financial firm's real one.)

High-profile banks hit by phishing and spoofing attacks include Minneapolis-based U.S. Bancorp, Citigroup Inc. of New York, Seattle's Washington Mutual Inc., and Wachovia Corp. and Bank of America Corp., both of Charlotte, N.C. The December 2004 FDIC report on online security found that between May 2003 and April 2004, 2 million U.S. Internet users had experienced an "account hijacking."

The attacks keep coming. Amir Orad, the executive vice president of New York-based security vendor Cyota, Inc., says he's seen a "major wave of innovation and sophistication in the last 18 months" in online fraud attempts.

Since many banks are already employing the best security they can on their end, fraudsters are shifting their focus to the most vulnerable part of the system, which is the consumer's ability to validate his identity to the financial institution, and conversely to make sure the institution's Web site or e-mail messages are legitimate. (For more on the consumer's role in protecting his accounts, see "Deputizing the Customer," January/February 2005, Banking Strategies.)

"The weak link here is usually the user and his PC," says Jim Maloney, chief security executive for Corillian Corp., an online financial software firm based in Hillsboro, Ore. "Just using an account name and password is not working anymore."

Traditional passwords are easily compromised or stolen. Their usage is also limited to identity verification. They can't tell the institution, for example, where a customer is logging in from or if the transaction falls within the parameters of "typical" behavior for that customer.

As a result, some institutions are introducing new authentication technologies. In many cases, they are beginning to require that their customers provide two proofs, or "factors" of identity, to access their accounts online, or even at the branch or call center.

Regulatory Watch

The banks are not driving the process entirely on their own. In its December 2004 report, the FDIC pointed out that "fraudsters are taking advantage of bank reliance on single-factor authentication for remote access to online banking and the lack of e-mail and Web site authentication to perpetrate account hijacking identity theft."

Concerned that regulators might crack down on them for not voluntarily implementing better authentication, banks are being proactive. They're following the FDIC's suggestion to upgrade to two-factor authentication, use scanning software to defend against phishing, and do a better job of educating consumers and sharing information with other financial firms, government agencies and technology vendors.

"When the FDIC comes out with strong recommendations, banks listen," says TowerGroup's Tubin.

In early October, the Federal Financial Institutions Examination Council upped the ante, recommending that banks implement two-factor authentication by the end of 2006 when dealing with sensitive data online.

Even so, Kevin Watson, CEO of Verid, a Ft. Lauderdale, Fla.-based security technology vendor, argues that the industry rush to greater authentication is "more consumer-driven than regulatory-driven." Watson points out that the existing directives of the Bank Secrecy Act and the Patriot Act already underscore the importance of making sure banks know their customers.

Recent research has reported that consumers are increasingly concerned about securing their online identities. In a survey of more than 8,000 U.S. consumers last May, RSA Security Inc. found that eight out of 10 consumers would be more satisfied with, and loyal to, their existing financial services provider if it offered them strong authentication.

Meanwhile, the same survey said that 45% of consumers are more or much more likely to switch online service providers if another company offers them stronger authentication security than their existing provider. The research also found that 67% said they are willing to change financial firms for the ability to use hardware authentication.

Banks and other businesses are investing in improved authentication. According to Boston's Yankee Group technology research firm, spending on authentication systems and tools by businesses in the U.S. will nearly double from $1.4 billion in 2003 to $2.4 billion in 2008, driven by growing fraud, as well as overarching security issues.

Balancing The Benefits

As financial institutions consider the available technologies, the evaluation process must necessarily consider not only the effectiveness of the system, but also its cost and customer usability. "Consumers want better security to prevent phishing, but they are still strongly emphasizing that they want it to be as easy as what they have now," says Maloney of Corillian. "A lot of solutions are considered just too complicated by consumers."

Maloney says that banks rightfully fear that if they install a system that requires too much of customers, those customers might stop using the online channel to access the bank - or worse, bolt for another bank with less restrictive requirements. It's a difficult balancing act, according to Gayle Wellborn, Bank of America's online products and servicing executive. "You can employ a very robust technology, but if customers rebel, it doesn't work," she says.

Nathan Z. Johns, chief of the technology supervision branch for the FDIC, agrees. Firms "need to consider the information at risk and what can be accessed, as well as the cost of various solutions" in determining which system will work for their customers, Johns says.

Consumers are most apt to prefer authentication techniques that are less intrusive or limiting, says Bruce Cundiff, research analyst with Javelin Research of Pleasanton, Calif. For example, a recent Javelin consumer survey found that among various forms of authentication, the consumers' most preferred form of verification (52%) was to answer pre-arranged challenge questions. One-third (33%) said they would opt for software that recognized their specific computer and 29% said they would use a biometric fingerprint scan.

Executives at Wachovia, for example, are exploring both hardware- and software-based solutions, although Ilieva Ageenko, director of emerging applications, says the company is leaning toward the latter. While Wachovia already offers hardware tokens as an authentication device for corporate customers, she questions the practicality and the cost of issuing tokens to a wider consumer base.

"If you have hardware tokens, customers have to carry that token everywhere they go," Ageenko says.

By the first quarter of 2006, the bank will begin testing a combination of risk-based scoring technologies and other customer-facing authentication systems, Ageenko says. The pilot will probably last about three months and include about 2,000 to 3,000 online banking customers in the test. Ageenko says there may be a second pilot of various technologies before the bank introduces new authentication technologies sometime next year.

"Every bank serves a different market," says Tubin of TowerGroup. "Cost, consumer acceptance and how effective the system is at identifying fraudulent log-ins all matter. Each institution needs to determine what level is good enough for them."

One important consideration, for example, is how the authentication technology fits with the financial firm's overall strategy and its customer base. And even then, say experts, the most successful approaches typically leverage more than one and often a variety of different solutions.

Bank of America, for example, has opted to offer an image-based system called SiteKey, which was designed by PassMark Security of Menlo Park, Calif. But Wellborn says the bank is still keeping its options open. "Security is an ongoing process," says Wellborn, adding that even hardware tokens may have a place with a "smaller, more targeted audience" within the bank.

E-Trade Financial Corp., the operator of a well-trafficked, prominent financial Web site, does use such tokens, developed by RSA Security. The quick expiration limits of the tokens, which generate a one-time passcode every minute, limit the potential misuse that could take place with a static and unchanging password. But Joe Raymond, director of product development and Web optimization for E-Trade, says the online broker is also looking into a variety of "customer protections" that may include software that looks for a customer's typical pattern of activity or recognizes the device from which a customer is logging in.

Regardless what selection is made, institutions are being encouraged to go beyond the password. "The key thing is that consumers are looking for more security," says Christopher Young, vice president of consumer authentication services for Bedford, Mass.-based RSA Security. "They don't think the sky is falling, but they want more security."

Questions or comments about this article? Post them at the Banking Strategies blog.

 Ms. Hoffman is a freelance writer based in Poulsbo, Wash.

back to top 

 
© 2008 BAI. All Rights Reserved. Contact Us  |  Site Map  |  Our Terms and Conditions  |  Web Site Specifications  |  Home