• United States



by Dave Gradijan

Banks Cheating at Web Security

Aug 01, 20062 mins
CSO and CISOData and Information Security

Blogger David Berlind of ZDNet posted a relevant entry to his blog recently concerning a report card by InfoWorld on whether banks will make the federal Web security deadline.

According to an original article by Jaikumar Vijayan on Computerworld, most banks appear to be unprepared to meet the Dec. 31 deadline for complying with the federal security guidelines. Many banks are complaining that the guidelines are not mandatory and they don’t specify what form of strong authentication methods should be implemented.

A recent Alarmed column by CSO’s Sarah Scalet also bemoans the fact that banks are falling short of these guidelines and that many are proudly marketing authentication that falls far short of any reliable form of online security.

Berlind’s fellow ZDNet blogger, George Ou, goes so far as to write that banks are cheating their way toward the guidelines, which list three main factors of security that need to be present:

• Something the user knows (e.g., password, PIN).

• Something the user has (e.g., ATM card, smart card).

• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Of course, multifactor authentication requires at least two of the above criteria. However, Computerworld points out that many banks are trying to get around the guidelines by adding one or two additional factors to the most common form of online banking authentication (what the user knows: user ID and password), by piling those items into the authentication process.

Ou also points out that no security expert would ever count multiple instances of “something the user knows” as multifactor authentication.

These articles and blog posts beg attention from legislative, policy and consumer perspectives, and it would make sense for any security executive to read them closely.

By Paul Kerstein

Keep checking in at our Security Feed for updated news coverage.