Bank of America will adopt a software and services solution from VeriSign (Mountain View, Calif.), in order to provide its employees and corporate customers with stronger online security. Selected online users will be issued "token devices," which are electronic gadgets that generate one-time passwords.
The technology isn't the hard part, observes Rhonda MacLean, senior vice president and corporate information security executive at Bank of America (Charlotte, N.C., $1.11 trillion in assets).
Instead, the focus for the bank has to be around the various processes, procedures and controls that go around the technology implementation and deployment of one-time password devices: issuance, lost devices, revocation, reissuance. On top of that comes the training requirement, both for the internal personnel and the customer-facing employees. "It takes all those components in looking at it holistically, says MacLean.
In selecting VeriSign, an important factor was the vendor's adherence to open standards. "The use of open standards for this area is absolutely critical," says MacLean. "It makes good business sense."
The bank supports open standards in part because it wants to prepare for a time in the near future where customers carry devices other than those issued by the bank. "We want to be able to take advantage of new technologies as they come online," notes MacLean.
Left To One's Own Devices
Innovation is widely expected in the variety of devices that can be used to generate one-time passwords, according to Mark Griffiths, vice president of authentication products at Verisign. "For instance, Australian banks are looking at using SMS messages to their cell phones for getting one-time passwords to their customers," he says.
A related hurdle is ensuring that customers will not have to carry as many token devices as they have passwords. "From the financial industry's perspective, at some point, we're going to want to have interoperability between these two-factor authentications," says BofA's MacLean.
The industry is far from being ready to interchange token authentications, observes MacLean. "But let's think about where the ATM networks are today - we didn't get to where we are today in one step."
VeriSign's Griffith agrees. "It's going to take time for us to converge on a single authentication device," he says. "You need to have a trusted party on the back end."
The card associations could play a role in that process, Griffith observes. "They understand people, and they've got business rules already in place."
The VeriSign deal was announced in mid-February and the internal implementation is now underway. Soon, Bank of America will deploy to its commercial customers having the greatest need for extra security.
After that, will the bank deploy tokens to every man, woman and child in the country? "Not immediately, no," quips MacLean.
In a similar announcement, E-Trade (New York, $26 billion in assets) announced in March that it would issue token devices from RSA Security (Bedford, Mass.) to customers with over $50,000 in combined account assets. The device will be available to its customers in the second quarter of 2005. "The Digital Security ID token aims to provide customers with a more complete security and online protection system," said Lou Klobuchar, President, E*TRADE Financial Services in a statement. "In addition to the best-in-class security standards we maintain on E*TRADE's own host servers and systems, we are now making available to retail customers an additional and voluntary layer of password security they can deploy on their own computers to address any password access or control concerns that they may have."
Tokens permit a level of security known as "two-factor authentication." The first factor (the static password) is "something you know," and the second factor (the token device) is "something you have." The combination can help to mitigate the vulnerability of bank accounts to stolen passwords. Indeed, Bank of America was recently sued by an commercial customer in Miami whose login information was allegedly stolen through a computer virus that installed a "keystroke logger" on the user's system. The static password was captured and used to drain the customer's bank account. This type of attack would be largely prevented by the use of two-factor authentication.