Banks Batten Down

Financial institutions have put convenience before security in their online interactions with customers. Identity theft is changing that.
Phishing begat pharming. The rogue employee stealing data evolved into conspiracy rings of people getting jobs solely to lay their hands on customer data. The crooks keep coming up with more devious and efficient ways to steal customer data and turn those ill-gotten identities into cash.

Banks sit at the forefront of trying to break that chain. Yet even as they scramble to head off threats, they haven't changed much about the way they interact with customers online. Few ask for more than an identifying number--often a Social Security or account number--and a simple password. Customer convenience has loomed larger than fear of cybercrooks.

But fear might be starting to win out. Last week, the largest U.S. online banker, Bank of America Corp., moved toward a stronger authentication process for its 13.2 million online customers, which it will offer free and make mandatory by year's end.

Other banks are likely to follow, as customers start looking at security before choosing an online bank, and banks realize they have to do more than just reassure customers that E-commerce is safe. "They need to do something because lost customer data is having an effect on consumer confidence related to online transactions," says Tony Caputo, CEO at SafeNet, an IT-security advisory firm.

Bank of America's new SiteKey service is designed to thwart scams in which customers think they're entering data on the bank's Web site, when they're actually on a thief's site built to steal data. That can happen through so-called pharming tricks, in which a worm tells a PC to reroute someone typing a bank URL into a browser to another site that looks like the bank's.

Bank of America's SiteKey applies what's known as two-factor authentication. When enrolling in SiteKey, a customer picks an image from a library and writes a brief phrase. Each time that person signs on, the image and phrase are displayed, indicating that the bank recognizes the computer from which the customer is signing on and letting the customer know the site really is the bank's. He or she then enters a password and proceeds. When signing on from a different computer than usual, the customer must answer one of three prearranged questions.

Phishing "is a numbers game," says Sanjay Gupta, an E-commerce executive at Bank of America. With SiteKey, phishers would need "your image as well as your ID and password."

Photo by Richard Barnett/ Getty Images
"The business model of phishing is it's a numbers game," says Sanjay Gupta, an E-commerce executive at Bank of America. SiteKey removes some of the economies of scale from phishing attacks, in which thieves send out millions of spam E-mails in hopes of harvesting IDs and passwords. With SiteKey, "they would need to have your image as well as your ID and password," Gupta says.

Banks haven't much liked talking about identity-theft prevention, fearing it will scare people away from E-commerce. But it has become unavoidable with nonstop disclosures of personal data loss from companies of every stripe, not just banks. Last week brought the jolt that former employees of Bank of America, Commerce Bancorp, PNC Financial Services Group, and Wachovia were charged in connection with a scheme to obtain customer data and sell it to law firms and debt-collection agencies. New Jersey police seized 13 computers from the alleged mastermind with 670,000 account numbers and balances. There's no indication the data was used for identity theft, but it highlights how increasingly difficult it is to protect against such schemes as the market value of personal data grows.

Other banks also are preparing tools to improve customer-data security.

Wells Fargo & Co., with 6.5 million online customers, plans to pilot toward the end of the year "out-of-wallet" questions--information that wouldn't be on a driver's license or ATM card--as a second factor for password enrollment and maintenance. It's also considering offering security hardware such as key fobs to select consumer customers. In the fall, it will launch a two-factor authentication pilot in which small businesses making electronic funds transfers will need some kind of hardware token. Wells Fargo plans to evaluate how that's received before rolling it out broadly to consumers, a spokeswoman says.

Citibank in April added to E-mail it sends to customers a "security zone," which has the customer's name and the last four digits of his or her bank-card number. With this system, phishers have to know more than a person's name to pose as the bank.

E-Trade Financial Corp. in March started giving customers with $50,000 or more in their accounts a free Digital Security ID device from RSA Security Inc. that displays every 60 seconds a new six-digit code, which must be used to log on. Less-rich accounts can get it for $25. GE Money Bank of Germany last week said it's using a device called a Digipass from Vasco Data Security International Inc. for similar password protection.

One midsize investment bank is revisiting issuing smart cards to employees to create a two-factor authentication process--a traditional password, plus a rotating token password pro- grammed into the smart card. The bank dropped the idea a couple of years ago because of the expense, but security concerns have gotten too serious to keep things status quo, says the chief security officer, who asked not to be named. For now, the bank relies on a complex password setup that requires nine-character passwords with a mix of capital and lowercase letters and at least one number or special character, and the passwords have to be changed every 45 days.

Even getting those complex passwords accepted into the company's culture was a challenge, especially on the trading floor, where basic passwords written on Post-its were the norm. "I don't think it will be this year that we get to two-factor authentication, but it's on the to-do list--especially for mobile users, who lose equipment all the time," the security chief says.

The enhancements are being made as identity theft rises in the public's consciousness. A survey that payments software vendor First Data Corp. released this month found that 37% of consumers have received a phishing E-mail, and 19% say they've received a phishing phone call. "Fraud and threats are leading to consumers losing confidence in Internet commerce," says Curt Beeson, chief technology officer of First Data's Secure Signing Platform product group.

The industry has the impetus to fight ID theft and renew customer confidence before the feds step in, Beeson says. "We're not teetering on the edge, but customers are telling the banks they don't feel protected," he says. All major banks will have a two-factor authentication strategy within a year, he predicts.

The Financial Services Technology Consortium, an influential banking-industry group, has begun a four-month project--backed by $20,000 from each participating bank--investigating the use of one-time passwords and other standards for mutual authentication. It's also doing a detailed review of data-sharing practices with information aggregators. "Banks need to take steps to control the flow of customer data to outside parties," says Zach Tumin, the group's executive director.

In another move, Wells Fargo last month began using two-factor authentication for online money transfers taking place between customer accounts. And in the United Kingdom, Barclays Bank, HBOS, NatWest, and Royal Bank of Scotland have instituted delays of between several hours and one day on online transfers between two accounts within the same bank. The delays, which apply the first time a transfer is attempted, are intended to give the banks time to detect suspicious activity, such as a large number of transfers from multiple accounts into a single account.

Barclays instituted the procedure earlier this month as an interim measure and is working on other tactics to combat fraud, a spokesman says. The money-transfer delay was adopted in response to a wave of phishing incidents in which thieves transferred funds from victims' bank accounts into accounts owned by "mules"--people duped through E-mail solicitations into opening accounts, usually under the guise of a business proposal. From the mule accounts, the thieves withdraw cash, open credit cards, or otherwise loot the account.

U.S. banks aren't likely to institute money-transfer delays. "The idea of a 24-hour delay would break my rule of convenience and value," says Rodney Chard, executive VP at Whitney National Bank and chairman of a working group on account-to-account transfers run by BITS, a banking technology group. Among the security mechanisms that the BITS working group is considering are universal payment-identification codes, a pseudo account number that banks assign to mask the actual account number.

Whitney National Bank has been willing to sacrifice some convenience for security. It lets customers open accounts online but requires them to go to a branch to complete the process. "If you open accounts with people you can't see, you're asking for trouble," Chard says.

Beyond technology, it's tougher business processes, practices, and rules that need attention, says Nick Akerman, a partner specializing in data protection for law firm Dorsey & Whitney LLP. Akerman points to the ChoicePoint Inc. theft earlier this year, in which identity thieves posing as fictitious businesses were granted access to 145,000 customer-data profiles. "They're trying to make the data more secure and make it more difficult for people to get in, but I think that's a myopic view of the situation," he says. Akerman believes more companies should focus on being able to create audit trails for how customer data has been accessed. "If you can figure out who did it, you've got a chance at figuring out how to retrieve it," he says.

Gartner analyst Avivah Litan says most banks also are working on what she describes as background authentication and fraud-detection services. Banks would monitor customers' actions and compare them with historical profile data so they could follow up on unusual behavior, similar to what credit-card companies do. If a customer who always logs on from New York to do isolated transactions a couple of times a month suddenly logs on from California and does 20 transactions in an hour, the service would alert the bank to contact the customer. "Everyone's trying to build that now, because everyone sees it as the Holy Grail in protecting against fraud," Litan says.

And unlike in the past when banks were wary of the cost or customer backlash from adopting security technologies, steps like the one Bank of America is taking will be swiftly copied across the financial-services industry, Litan predicts. "They're finally waking up and realizing they have a really big problem."

--With Martin J. Garvey