By BRIAN BERGSTEIN, AP Technology Writer
Federal regulators will require banks to strengthen security for
Internet customers through authentication that goes beyond mere user
names and passwords, which have become too easy for criminals to
Bank Web sites are expected to adopt some form of "two-factor"
authentication by the end of 2006, regulators with the Federal
Financial Institutions Examination Council said in a letter to banks
In two-factor authentication, customers must confirm their identities
not only through something they know, like a PIN or password, but also
with something they physically have, like a hardware token with
numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware
involving biometrics or "smart" cards that would be inserted into
designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or
require "secret questions" about a customer's account, such as the
amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can
estimate a Web user's physical location and compare it to the address
The most common way of stealing consumers' personal identity data and
financial account credentials online, known as phishing, typically
involves sending e-mails that direct unwitting users to phony Web
sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported
13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers
electronic password tokens, those have tended to be optional. Other
banks have instituted password entry through mouse clicks instead of
typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and
identity theft, according to the financial institutions council --
which includes the Federal Reserve; the Federal Deposit Insurance
Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the
National Credit Union Administration.
"The agencies consider single-factor authentication, as the only
control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of
information to other parties," the council wrote. "Account fraud and
identity theft are frequently the result of single-factor
... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that
will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies,
the policy could stimulate wider use of two-factor authentication by
other merchants that are willing to "federate" their Web sites with
banks, said Michael Aisenberg, director of government relations for
Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working
to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be
recognized by another, so a travel agency associated with your bank
would automatically grant you access if you came straight from the
financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going
to have to go along and other regulated sectors will no doubt follow
along as well."
On the Net:
June report on bank authentication practices:
Copyright 2005 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new