Strong authentication a hard sell for banks

The announcement last week that U.S. Bancorp, the eighth largest U.S. bank, signed a deal with VeriSign Inc. to secure customer access to online commercial banking services could signal a significant trend toward greater security for retail banking and brokerage customers, as companies in those industries fight a big increase in online scams.

But the introduction of a "multifactor" authentication option for thousands of companies that use U.S. Bancorp online services is still the exception among U.S. financial institutions, which lag far behind their counterparts in Europe and Asia in the use of strong authentication to secure those services, and industry officials are skeptical that such technology will ever take hold here.

U.S. Bancorp will use VeriSign's Unified Authentication service to validate and secure interactions with commercial banking customers, making a secure USB (Universal Serial Bus) token available to more than 10,000 commercial banking customers, said Judy Lin, executive vice president for VeriSign's security services.

The U.S. Bancorp move comes amid a growing storm of online scams, including "phishing attacks," which use spam and deceptive Web sites imitating bank and e-commerce sites to harvest personal and financial information from unsuspecting Internet users.

The Anti-Phishing Working Group, an industry group of law enforcement agencies, ISPs (Internet service providers) and technology companies, reported that such attacks increased an average of 50 percent monthly from January to July, the group said.

A May report from Gartner Inc. found that as many as 30 million adults may have experienced a phishing attack and 1.78 million adults could have fallen victim to the scams.

Phishing attacks represent a dangerous new front in the ages-old war between banks and criminals, who have traditionally relied on low-tech crimes such as dumpster diving and purse snatching to steal bank account and credit card numbers, according to Robin Slade, a senior director at the Banking Industry Technology Secretariat (BITS), part of The Financial Services Roundtable, an industry group of leading banks and banking associations.

Criminals have simply followed their marks to the online realm, said Bruce Candiff, an analyst at Jupiter Research Inc.

"Banks value their online channels as a source of cost savings. A consumer who goes for help to a Web site costs less than if they called a customer service representative, and (online banking services) are more efficient from a consumer perspective, as well," he said.

Currently, about 35 million U.S. households bank online. Jupiter estimates that number will grow to around 56 million households by 2008, 54 percent of the country's banking households, Candiff said. At the same time, fraudsters are finding new and better ways to exploit online services, he said.

Fraud against direct deposit accounts in which criminals obtain a victim's bank account number, then move money from it to another account or online payment service, is a fast-growing problem that may be tied to phishing scams, said Avivah Litan, a Gartner analyst.

One reason for the increase in such crimes may be inadequate security that governs access to online banking and e-commerce services, experts agree.

Despite the surge in online scams, most banks still rely on user names, passwords and 128 bit SSL (Secure Sockets Layer) encryption on traffic sent to and from a customer's computer, said Jon Gossels, president of SystemExperts Corp. of Sudbury, Massachusetts, a consulting firm that counts leading financial services firms as customers.

"Banks are trying to balance ease of use with complexity and strength in their authentication technologies," said Richard Mackey, a principal at SystemExperts. "Most companies try to allow PIN (personal identification number) codes to be relatively short, so customers can remember them easily. Others are allowing longer passwords and PINs."

Some companies are moving more in the direction of convenience than security, streamlining systems so that customers can use the same PIN for automated teller machines and online services, he said.

"I think some (banks) feel that the user convenience threshold is lower -- basically that users will walk away if you make things too difficult," Mackey said.

A lack of commitment to strong user authentication within the U.S. banking and financial services industry is contributing to online crimes, said Howard Schmidt, former chief information security officer at eBay Inc. who was recently named chairman of the government's U.S. Computer Emergency ReadinessTeam (US-CERT).

"One of the fundamental reasons that hacks, DOS (denial of service) attacks, phishing and identity theft occur is because we don't have a good online system for identity management," he said.

But the idea of using digital certificates for consumer banking customers still gets a cool reception from many.

"The topic of authentication is critical, but we don

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon