Securing Your Online ID: Beyond Username and Password
Feb 28, 2007 4:00 AM PT
There's no doubt that online banking is widely popular in this country -- just ask the millions of customers who've signed on for the convenience it provides. As fraudsters create new scams to bilk financial services customers or to simply hijack their accounts, however, banking customer trust is on the decline.
That customer trust is a powerful thing. Without trust, financial institutions could experience diminishing use of the online channel, which would have a significant impact on the bottom line for many financial institutions.
Consumers are tired of fraudsters wreaking havoc on their personal financial accounts and trying to compromise their identity. The impact is anything but small -- more than 9 million Americans were victims of identify theft in 2005.
Securing online accounts from malicious activity is important to consumers who -- and this may surprise some banks -- are willing to take considerable steps to protect their assets.
This notion of enabling the consumer to actively participate in an authentication solution is contrary to how most financial institutions are addressing the issue. Most financial institutions are relying on less successful authentication methods. Those methods include the following:
- Token-based, one-time password -- Customers are issued security passwords through a separate purpose-built device. The trouble is they often lose them or forget to carry them at all times, making it difficult -- and frustrating -- to complete a transaction. Security tokens also are expensive for institutions, and may lead to higher customer support.
- Image and text confirmation -- Sometimes referred to as reverse-authentication, financial institutions ask customers to choose an image and/or phrase that can be displayed when they access their account. This method does little to verify the user's identity; instead, it is intended to confirm that the site they're visiting is authentic. It's highly debatable, though, whether customers will actually pay attention to these safeguards in a way that will make them meaningful.
- Transaction anomaly detection systems -- Help identify transactions suspected of fraud or changes in customers' use patterns, but are back-end focused and require little interaction with the user. While they may be effective in spotting some types of fraud, they do little to reassure the end user.
Multifactor authentication methods, such as image and text confirmation, are more difficult to compromise than single-factor methods such as passwords.
As we saw last summer in the case of Citibank, even a two-factor authentication process can still be foiled. The New York-based financial giant was targeted by about three dozen phishing Web sites that tricked users into entering a second authenticator, which then let the phisher sign on for the victim. The banks claimed that no customers were affected by the scam, but it clearly showed some security flaws with Citibank's system.
Javelin Strategy & Research, an independent research and strategy consulting firm, asked 1,000 consumers how safe they would feel with a given authentication solution -- either device recognition, image display/recognition, or a one-time password generating token -- and how likely they would be to adopt a solution should it be offered by their bank.
Half of customers surveyed said they preferred device recognition -- recognizing the device used to access the account online.
Device recognition addresses all of the customer and bank concern areas when it comes to preventing identity fraud: convenience, reality and perception. Because it's easy to use, it requires minimal need for change in consumer behavior.
However, just device authentication is not enough. By allowing banking customers to register a device, such as their home PC, and lock it to their online financial accounts, the bank now has two-factor, two-way authentication. Even if a user is phished, the stolen login ID/password information is rendered useless unless the fraudster has access to the victim's PC.
Users then become "deputized security officers" and are in control of which device will have access to their accounts. They're also alerted by e-mails, text messages or phone calls when illegal access occurs.
Javelin analysts report that limiting online account access to certain devices, such as PCs -- with additional authentication measures necessary for login via unrecognized devices -- is a superior security and authentication solution.
Financial institutions benefit from a solution that customers can easily adopt, which leads to increased use of the online channel and a better return on investment.
Taking It a Step Further
If customer security weren't enough of a driver to embrace more advanced authentication solutions, financial institutions have another reason: The Federal Financial Institutions Examinations Council (FFIEC) has begun enforcing a risk analysis and audit of banking organizations to determine the need for "stronger" authentication for online account access. The enforcement began last year and financial institutions are still trying to evaluate what it all means.
Our analysis is that these institutions should meet and exceed the FFIEC expectations by deploying a multifactor, online authentication solution. Moreover, they should employ a system that allows them to share information about devices and accounts that have a record of negative behavior. We think of this as "reputation."
We've made it our business to throw roadblocks in the faces of fraudsters by amassing millions of PC reputations and helping financial institutions share this information to stall the growth of online fraud.
By sharing reputation, all parties realize the benefit of a solution that far exceeds the sum of individual technologies. This is finally a formula for combating fraud on a global basis, not just within isolated networks.
Greg Pierson is CEO and cofounder of Iovation, a fraud management and authentication company in Portland, Ore.