Agency Report Pans Passwords

U.S. banks that haven't already done so should put plans for shoring up e-banking security into high gear, according to new guidance from the Federal Financial Institutions Examination Council.

U.S. banks that havent already done so should put plans for shoring up e-banking security into high gear, according to new guidance from the Federal Financial Institutions Examination Council, an interagency body that oversees the financial services industry.

The FFIEC issued a report on Oct. 12 that declared single-factor authentication such as a password inadequate to secure transactions that involve customer information or the transfer of funds to or from an account. The report encourages banks to adopt "enhanced authentication methods" that can identify customers online by the end of next year.

The report, titled "Authentication in an Internet Banking Environment," is just the latest effort by the U.S. government to address threats to the security of online banking. It grew out of the findings of earlier research on account hijacking released last year by the Federal Deposit Insurance Corp., an FFIEC member group, said Michael Jackson, associate director of the Division of Supervision and Consumer Protection at the FDIC, in Washington.

"Instead of being reactive, we wanted to be proactive before [identity theft] becomes a significant problem for industry," Jackson said.

According to the FFIEC, single-factor authentication such as a user name and password combination should not be used as the only control mechanism for Internet-based banking services. Instead, banks should find "effective methods to authenticate the identity of customers" depending on the risk associated with particular online products and services.

For example, access to features for transferring money between banks or accounts should be highly secure, with multifactor or layered security that might couple a user name and password with a smart card, one-time password or USB plug-in, the FFIEC said in its guidance.

"Were telling the industry to step up a notch and put stronger controls in place, especially around high-risk transactions," Jackson said.

The new federal guidance could be a rude awakening for a lot of banks. The FDIC is aware of about 15 banks nationally that use multifactor authentication to secure online sessions, an FDIC official said. That puts the United States well behind the European Union, where more banks use multifactor technology such as smart cards, random-number generators and other secure tokens to make it harder to hijack accounts, the official said.

/zimages/4/28571.gifPatch deployment problems haunt Microsoft again. Click here to read more.

Some banks already use multifactor technology to protect high-value accounts and VIP customers. But the guidance could force banks to extend protection to rank-and-file customers, said Grant Bourzikas, director of information security at online brokerage Scottrade Inc., of St. Louis.

Scottrade, which is not governed by the FFIEC, is switching from password-only protection for its customers to technology by Passmark Security Inc. that combines passwords with images and challenge-and-response questions to authenticate users.

The FDIC will be looking for U.S. banks (in areas not affected by hurricanes Katrina or Rita) to have made progress in conducting risk assessments and fixing security issues that are raised by those assessments by the end of next year, Jackson said.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.