Hardware and Software for Secure Online Banking

Identity theft is one of the fastest growing types of consumer fraud, and banks in particular fear that such crimes will hinder consumer online banking activity.

A recent study on bank account phishing and hacking from the Federal Deposit Insurance Corporation reveals that single-factor authentication for online banking has flaws that are increasingly being exploited by phishers. In response, financial services firms have launched investigations of additional authentication tools, both software and hardware.

E*Trade’s Hardware

E*Trade Financial has had an authentication pilot in place for the past two months. Nationwide, 200 of its customers carry hardware devices that provide a unique code every 60 seconds. When the consumers in the test want to check their E*Trade accounts or initiate transactions, they follow the usual login process but also enter the code appearing on the device at that moment.

“Customer feedback has been positive,” said Tina Martineau, an E*Trade spokeswoman, and customer feedback through the first quarter of 2005 will determine whether the firm rolls out the technology to all of its customers.

Ed Neumann, head of consulting services at Javelin Strategy & Research, said many banks show interest not only in hardware tokens but also in software that provides additional authentication. Few, however, will adopt hardware for their entire customer bases because of the cost of the devices.

Banks and Brokerages

“Banks don’t want to pass the costs on to customers. They want as many customers online as possible,” Neumann told CRM Buyer. Asking consumers to pay extra fees for hardware tokens will drive them away from the Web rather than toward it.

Still, hardware devices may have a place in this more secure future. “E*Trade is a brokerage company moving a lot of money,” Neumann observed. “Hardware tokens would be less necessary for retail banks and transactions under a certain value…. The threat is not large enough to require a $10 or $15 hardware device.”

Zack Martin, editor of “ID Newswire,” an industry newsletter, expanded on this line of thought. “Initially these devices will probably be issued to high-net-worth individuals to access brokerage and other financial accounts. As they gain more acceptance and come down in price, they will be made available to others,” he told CRM Buyer.

For the mainstream online banking customer, “the devices that are probably being explored the most are the different types of USB tokens,” he said. “They’re pretty easy to use and don’t require any extra hardware.” Some of these tokens simply plug into a USB port on the customer’s computer; entry of a password or PIN yields access to the secure site. Others bear similarities to E*Trade’s hardware, providing one-time passwords.

Neumann pointed to software as another widespread solution. Authentication software installed on a customer’s home and work computers, as well as on hand-held devices, deliver added security. When customers need to access their accounts remotely, they would be asked a series of questions in order to receive the supplemental security through another computer.

Social Engineering

But there’s more to solving the fraud problem than hardware and software. Neumann recalls that in the late ’80s and early ’90s AOL experienced the first phishing attacks. “AOL did an efficient job of containing the problem through consumer education,” said Neumann. To this day, AOL, in nearly all of its communications, tells its members that they will never be asked for their passwords or other personal information by an employee of AOL.

“We suggest the same for banks,” said Neumann. A heavy hand with consumer education as well as a commitment to removing links from all bank e-mails can go a long way toward keeping customers safe. If they receive e-mails sporting a bank logo that requires a response or includes a link, they’ll know it’s not a legitimate communication. Right now, he said, “they don’t know if it’s a real e-mail from their bank or a scam from Latvia.”

“No system is foolproof,” said Martin. “[With] enough time and money any system can be hacked. Phishing is a primary concern right now, and the solution is better customer authentication. But what are banks willing to ask customers to do and what are customers willing to do?”