In the face of the growing threat of identity theft and data theft, vendors, industry groups and government agencies are scrambling to beef up security for online banks and merchants.
In the latest developments, the Liberty Alliance Project introduced plans on Tuesday to develop improved authentication technology. The same day, vendor Entrust introduced an upgraded version of IdentityGuard online authentication software. The Federal Deposit Insurance Corp. is arguing both sides of the issue, downplaying the dangers of online data theft while also arguing the threat must be taken seriously. And federal regulators called on financial institutions to implement better ways of authenticating customers.
The Liberty Alliance formed the Strong Authentication Expert Group to create an Identity Strong Authentication Framework. "Strong" authentication requires at least two forms of identity authentication for accessing a network or online application. The framework's purpose is to offer open specifications that let authentication technologies -- including hardware and software tokens, smart cards, SMS-based systems, and biometrics -- interoperate universally across different organizations and networks.
The alliance is a global consortium of companies, non-profits, and government organizations, formed in September 2001 to create a "federated" identity model in which the user logs in once at the beginning of an online transaction and doesn't have to re-authenticate for subsequent transactions.
The Federal Financial Institutions Examination Council, or FFIEC, on Oct. 12 issued new guidance for banks regarding online authentication, calling on financial institutions to implement better ways to authenticate the identity of customers using online products and services. "By the end of 2006, financial institutions have to demonstrate that they're using more than passwords to defend against fraud and protect against identity theft," says Jonathan Penn, a principal analyst with Forrester Research.
The FFIEC's work becomes even more pressing as online fraudsters have set their sights directly on banking customers through e-mailed phishing and pharming scams that send users to bogus banking Web sites in an attempt to get them to divulge personal information. FFIEC's October guidance updates the organization's 2001 guidelines to better protect customers from online fraud through improved authentication technologies that create mutual authentication between financial institution and customer.
Entrust Inc., a provider of digital identity security technology, on Tuesday introduced the latest version of its IdentityGuard software, which features mutual authentication capabilities. IdentityGuard 8, which begins shipping in December, includes several new features to combat phishing and pharming. One allows bank customers create a customized login page that they can access each time they begin an online banking session. If the customer is directed to a login page without this customized information, such as a favorite phrase or a digital photo of a pet, the customer is tipped off that the page might not be legitimate. Another feature, for large, high-risk transactions, sets up a multi-step login process. Once the login is initiated, the bank customer receives a phone call or e-mail from the bank with additional login codes to complete the transaction.
Despite the attention surrounding online fraud and identity theft, and the growing danger, the financial services industry and the government are quick to point out that a person is more likely to be a victim of more conventional data theft than online theft. In fact, the Federal Deposit Insurance Corp., or FDIC, is taking both sides of the argument, downplaying the threat of online theft while at the same time supporting the FFIEC's new guidelines. "We don't see identity theft online as a major concern," Michael Jackson, associate director of the FDIC's technology supervision branch, part of the agency's division of supervision and consumer protection, said Tuesday at Entrust's IdentityGuard 8 launch event. Still, the FDIC, a member of the FFIEC, is pushing for financial institutions to implement multifactor authentication and layered security surrounding online transactions. The new FFIEC guidelines "tell institutions to step it up a notch in terms of online security," Jackson said.
The dangers of fraud and identity theft related to online banking have been exaggerated, Jim Salters, director of technology initiatives and project development with the Financial Services Technology Consortium, agreed Tuesday at the Entrust event. He added, "The larger issue is their impact on consumer confidence." The FSTC is a group of financial institutions, technology vendors, research organizations, and government agencies formed in 1993 to analyze and develop technology for the financial services industry.
Yet the FSTC in August launched a project among its members to identify and define guidelines and standards for the implementation of mutual authentication. Salters acknowledged, "If we do nothing about online fraud and identity theft, it will become a big problem."
Banks have been reluctant to increase online security for their customers due to their concern that complicating the process will keep users away. "People only bank online because it's convenient; security solutions can't interfere with that," Forrester's Penn says.
The bottom line is that banks need to implement the right level of security given the level of risk posed by different types of online transactions. The process of creating an online account, where users are inputting a lot of sensitive information, is a high-risk transaction that deserves the highest level of protection. Online bill payment, however, has a lower risk assuming the account has already been safely set up because the user is dealing with trusted entities.