Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, October 17, 2005

Tighten Web Security, Banks Told

Federal regulators will require banks to strengthen security for internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.  Bank websites will be expected to adopt some form of “two-factor” authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.

In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.  Other types of two-factor authentication include costlier hardware involving biometrics or “smart” cards that would be inserted into designated readers on a user’s computer.

Banks might also issue one-time passwords on scratch-off cards or require “secret questions” about a customer’s account, such as the amount of the last deposit or mortgage payment.

The council also suggested that banks explore technology that can estimate a web user’s physical location and compare it to the address on file.

The most common way of stealing consumers’ personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony websites.  Data harvested at such sites is then used fraudulently.  The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.

While some financial institutions have given their customers electronic password tokens, those have tended to be optional.  Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.

FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks’ practices are audited.  Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to “federate” their websites with banks, said Michael Aisenberg, director of government relations for internet service provider VeriSign.,1367,69243,00.html

Posted on 10/17