Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Two-Factor Too Scarce at Consumer Banks

A search for strong authentication in online banking comes up short

By

July 11, 2006CSO

Every time I turn around, theres a bank trying to sell me on online banking. They pitch online bill paying as a convenience, which I guess it would be, but lets face itthe real convenience is to the banks, because of the money they could save on processing fees and tellers. Thing is, some of us simply dont want it to be that easy to transfer funds out of our checking and savings accounts. We want it to be harder.

Thats why for years Ive been saying that I wont sign up for online banking until a bank offers me strong authentication. Keep your $50 new-customer incentive or the low-end iPod, I say. Instead, I want an RSA token that generates a security code that I punch into a website, in addition to my user name and password. Or a keyfob that I stick into the USB slot of my desktop computer whenever I move funds. Heck, Id even proffer a fingerprint if the bank would send me the biometrics reader.

And I know Im not alone. Larry Freed, president of the research group ForeSee Results, says that security concerns are slowing the growth of online banking. People that are not using online banking are very concerned with security, says Freed, a former banking CTO.

In October 2005, it looked like my wish might finally come true. The U.S. Federal Financial Institutions Examination Council, or FFIEC, issued a requirement that banks strengthen the way they authenticate online transactions. (See Second Thoughts on Second Factors for my colleague Scott Berinatos rich analysis of what the FFIEC called its guidance.) The FFIEC move was widely interpreted as a mandate that would push more banks to two-factor authentication. Hip, hip, hurrah!

Nowjust six months until the FFIECs end-of-year deadlineseemed like a good moment to take stock of the current consumer offerings for online banking. I spent several hours looking at what Fortune 100 banks tell prospective online banking customers about security, liability and authentication. This wasnt a scientific study, mind you. I didnt set out to get an insider view of which banks are the most secure or have the best anti-fraud defenses, nor do I have any way of gauging how well banks actually keep the promises they make. I simply looked at what the websites and marketing materials say about each banks online practices. Unfortunately, it appears that we still have a long way to go before most online banking sites are hard enough for me to use.

Citibank

RESOURCE CENTER