Next year’s holiday season will be different in at least one small way than it was in 2005: The U.S. government recently mandated that financial institutions enhance their online security systems by supplementing the traditional technique of passwords and user IDs with another form of user authentication. “The government initiative gives a clear and loud wake-up call to a procrastinating U.S. banking industry that has not moved beyond relying on single-factor reusable password authentication,” said Avivah Litan, an industry analyst with Gartner Group.
Traditionally, banks have relied on passwords and user IDs for a couple of reasons, starting with convenience. “Banks do not want to put security procedures in place that may discourage users from using their services,” stated Pete Lindstrom, research director at Spire Security, a security consulting firm.
Simple Is as Simple Does
While they are simple to use, password security systems can be easily compromised. Typically, users are assigned default passwords; often financial institutions will assign users a common password and then ask the customer to change it once he or she uses the service. In many cases, users do not take that step and therefore leave their account information open to intruders.
Another problem is consumers often pick easy-to-remember passwords, such as their first name or simple numeric sequences, like 123456. The problem is that if a password is simple for the user to remember, it is also easy for a hacker to crack.
Financial institutions have been trying to address these problems by making consumers aware of potential danger and forcing them to work with more complex passwords. However, in order to remember them, users often write their passwords and IDs down on pieces of paper. If the user reads a password in a public place, a hacker may be able to glean the security data. In other cases, customers store the passwords in their computer files. If they lose their laptops or intruders break into them, users’ personal information is compromised.
Consequently, U.S. officials determined that password authentication was insufficient to protect users and decided to make a change. “The rising number of cases involving identity theft meant some consumers were losing confidence in online financial services,” noted Dan Blum, group research director at market research firm Burton Group.
High Hopes for New Rules
The Federal Financial Institutions Examination Council (FFIEC), which was formed in 1970 and includes the Federal Reserve System, the Federal Deposit Insurance Corp. and the National Credit Union Administration, oversees banking regulations in the U.S. The FFIEC’s new set of rules, dubbed “Authentication in an Internet Banking Environment,” says banks must now rely on two-factor authorization, which adds another identity check along with a password system. This guideline replaces a previous set of rules issued to banks in 2001. The group is making changes, it says, “to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions.”
Although a firm date has not been set to put the new system in place, government auditors are expected to begin evaluating banks for compliance with the guideline at the end of 2006. “Many financial institutions had been moving toward stronger authentication, so they should have time to make the necessary changes,” Spire Security’s Lindstrom told TechNewsWorld.
While the FFIEC said banks need to make a change, the regulatory organization did not mandate what type of additional authentication they should deploy. In fact, the guideline outlines a number of multi-factor authentication schemes that banks can use, such as a hardware tokens; scanning personal identifiers like a fingerprint or a person’s iris; the bank calling the customer on a cell phone to verify a transaction; or banks issuing users sets of passwords that can only be used once. With the new guidelines being put into place, a key question becomes, which of these options will be most acceptable to consumers?
Hardware tokens have been available for many years. In this case, the bank issues a user a small device, such as a smart card (a credit card size device equipped with a microprocessor and software) or a password generator that plugs into a USB port, and these devices provide passwords that match the ones used by a bank’s security system. While these techniques can be effective, they have not been popular in the U.S. “Users do not want be burdened with having to remember to carry a device like a smart card,” Burton Group’s Blum told TechNewsWorld.
Biometrics can also prevent accounts from being compromised and do not require that users carry anything extra. However, there can be resistance to this technique from individuals who feel that their privacy is being violated.
Cell phone usage has become prevalent in the U.S., so relying on these devices to verify transactions seems viable. One potential challenge is figuring out how to handle transactions when a person is not carrying a phone or it is not working because a battery is low or the caller is outside a carrier’s transmission range.
Issuing users sets of passwords seems like a simple approach to solving the authentication problem. Burton Group’s Blum said a similar approach is already proving effective in Europe.
For the moment, since the FFIEC’s initiative is so new, no clear cut preference has emerged in the U.S. “In the end, users will opt for the technique that is simplest to implement, and banks will select the one that is the least expensive to deploy,” predicted Spire Security’s Lindstrom. The preferred approaches likely will become clear as consumers begin to fill up their stockings approaching next year’s holiday season.