Strong authentication a hard sell for banks

The announcement last week that U.S. Bancorp, the eighth-largest U.S. bank, signed a deal with VeriSign Inc. to secure customer access to online commercial banking services could signal a significant trend toward greater security for retail banking and brokerage customers, as companies in those industries fight a big increase in online scams.

But the introduction of a "multifactor" authentication option for thousands of companies that use U.S. Bancorp online services is still the exception among U.S. financial institutions, which lag far behind their counterparts in Europe and Asia in the use of strong authentication to secure those services, and industry officials are skeptical that such technology will ever take hold here.

U.S. Bancorp will use VeriSign's Unified Authentication service to validate and secure interactions with commercial banking customers, making a secure Universal Serial Bus token available to more than 10,000 commercial banking customers, said Judy Lin, executive vice president for VeriSign's security services.

The U.S. Bancorp move comes amid a growing storm of online scams, including phishing attacks, that use spam and deceptive Web sites imitating bank and e-commerce sites to harvest personal and financial information from unsuspecting Internet users.

The Anti-Phishing Working Group, an industry group of law enforcement agencies, Internet service providers and technology companies, reported that such attacks increased an average of 50% monthly from January to July, the group said.

A May report from Gartner Inc. found that as many as 30 million adults may have experienced a phishing attack and 1.78 million adults could have fallen victim to the scams.

Phishing attacks represent a dangerous new front in the ages-old war between banks and criminals, who have traditionally relied on low-tech crimes such as Dumpster diving and purse snatching to steal bank account and credit card numbers, according to Robin Slade, a senior director at the Banking Industry Technology Secretariat (BITS), part of The Financial Services Roundtable, an industry group of leading banks and banking associations.

Criminals have simply followed their marks to the online realm, said Bruce Candiff, an analyst at Jupiter Research Inc.

"Banks value their online channels as a source of cost savings. A consumer who goes for help to a Web site costs less than if they called a customer service representative, and [online banking services] are more efficient from a consumer perspective, as well," he said.

Currently, about 35 million U.S. households bank online. Jupiter estimates that number will grow to about 56 million households by 2008, 54% of the country's banking households, Candiff said. At the same time, fraudsters are finding new and better ways to exploit online services, he said.

Fraud against direct deposit accounts in which criminals obtain a victim's bank account number, then move money from it to another account or online payment service, is a fast-growing problem that may be tied to phishing scams, said Avivah Litan, a Gartner Inc. analyst.

One reason for the increase in such crimes may be inadequate security that governs access to online banking and e-commerce services, experts agree.

Despite the surge in online scams, most banks still rely on usernames, passwords and 128-bit Secure Sockets Layer encryption on traffic sent to and from a customer's computer, said Jon Gossels, president of SystemExperts Corp. in Sudbury, Mass., a consulting firm that counts leading financial services firms as customers.

"Banks are trying to balance ease of use with complexity and strength in their authentication technologies," said Richard Mackey, a principal at SystemExperts. "Most companies try to allow PIN [personal identification number] codes to be relatively short, so customers can remember them easily. Others are allowing longer passwords and PINs."

Some companies are moving more in the direction of convenience than security, streamlining systems so that customers can use the same PIN for automated teller machines and online services, he said.

"I think some [banks] feel that the user convenience threshold is lower -- basically that users will walk away if you make things too difficult," Mackey said.

A lack of commitment to strong user authentication within the U.S. banking and financial services industry is contributing to online crimes, said Howard Schmidt, former chief information security officer at eBay Inc. who was recently named chairman of the government's U.S. Computer Emergency ReadinessTeam (US-CERT).

"One of the fundamental reasons that hacks, DOS [denial-of-service] attacks, phishing and identity theft occur is because we don't have a good online system for identity management," he said.

But the idea of using digital certificates for consumer banking customers still gets a cool reception from many.

"The topic of authentication is critical, but we don't see a consensus," said Cheryl Charles, senior director at BITS. Studies of online consumers conducted by BITS in recent years show a bottom-line concern for security but indicate that security concerns aren't enough to turn consumers off of Internet banking, she said.

Banks and banking industry officials usually cite customer resistance as a top reason for not implementing stronger security for online services.

"There have been approaches [to strong authentication] that have been pilot-tested, and they haven't gone over well with consumers. The reality is that customers have repeatedly expressed the desire to do things the easy way," said Gary Roboff, a senior consultant in charge of payments strategies at BITS.

Behind the skepticism about multifactor authentication is a long history of troubled implementations and failed projects with multifactor, public-key infrastructure (PKI) technology, Roboff said.

Many leading banks tried large-scale deployments of secure, multifactor authentication in the early and mid-1990s to protect internal transactions or links to their trading partners, but those initiatives often were abandoned, due to their cost and technical complexity, he said.

"If you go back to the early days of the Internet, the financial services industry was very concerned about all the risks. I don't think it's an exaggeration to say that the industry looked at the Internet as the Wild West," Roboff said.

Strong authentication programs such as the secure electronic transaction protocol backed by Microsoft Corp., MasterCard International Inc. and Visa International Inc., were too difficult for financial institutions to deploy, and consumers had problems with other approaches, such as SafeDebit, an NYCE Corp. program enabling card-activated, PIN-secure purchases online, Roboff said.

Chastened, banks and financial services companies shelved plans for strong authentication, Gossels said.

"Banks decided that a username and password sent over SSL was good enough. We had the pendulum swing to 'ease of use' and 'good enough,'" he said.

The emphasis on ease of use over security stands in marked contrast to nations in Europe and Asia, where online banking has benefited from the widespread use of strong authentication technology such as smart cards and one-time passwords, experts said.

For example, Rabobank in the Netherlands provides online banking customers with a secure token that generates one-time passwords that must be entered, along with a standard account username and password, to access online services, said Dave Jevans, chairman of the Anti-Phishing Working Group.

"The [European Union] is paying attention more to safety first and convenience second," said U.S. Federal Trade Commissioner Orson Swindle. "Our banking and financial institutions went rushing out to use [online services], but didn't pay attention to some of the vulnerabilities. Phishing and spoofing are a sadistic tribute to lack of thoughtfulness as we put systems in place."

Some in the banking industry think European-style security features may soon be in the cards for U.S. banks and their customers.

"I think security, identity and authentication security are going to become increasingly important," said Gil Danieli, vice president of technology at EverBank National Banking Group, an online bank based in Jacksonville, Fla.

Customers of EverBank, which serves about 30,000 depositors and has about $2 billion in assets, haven't been targeted by phishing scams yet, but Danieli thinks it's only a matter of time.

"Everybody's going to be a target of opportunity, ultimately. It becomes increasingly cost-effective to go after small fish as the technology gets better," he said.

Managed service providers like VeriSign and Internet service providers like America Online Inc., which recently announced its own program to offer customers RSA Security Inc. SecurID tokens, may spur mass adoption of PKI solutions, making such technology more feasible for banks and financial services companies, Danieli said.

Others are skeptical that PKI will gain acceptance with U.S. consumers. "PKI has really not gone over well. It's just not something that consumers are interested in," Jupiter Research's Candiff said.

If European-style PKI deployments aren't in the works, however, companies may be willing to try a range of lighter-weight security services, such as "shared secret" technology offered by companies like Passmark Security LLC, which uses embedded images to authenticate Web sites to users, he said.

So far, however, many industry observers say that progress has been slow in fighting online scams.

"The good guys can't keep up with the bad guys," said Litan of Gartner. "What we need is some kind of Caller ID for the Internet. Someone has to stand behind Web sites and say, 'This is John Doe.' And right now nobody does that."


Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon