Some banks and financial firms are considering the use of consumer authentication-style PKI products, enabling them to securely send financial statements and account information to customers.
The goal is to cut down on phishers who construct phony email messages and trick customers into clicking a link and ultimately into giving up their personal information, such as passwords and date of birth.
Many banks and financial services firms use pull authentication to email customers, sending them a message to let them know that their statement is available online. A URL to the bank website is usually in the body of the message. The recipient is expected to click on the link and authenticate at the financial institution's website. But the method is less secure and could result in higher fraud rates, said Mark Diodati, a senior analyst at Midvale, Utah-based Burton Group.
Diodati expects the Federal Financial Institutions Examination Council (FFIEC) to issue guidelines on the insufficiency of single factor authentication. The guidance could force banks and other financial firms to send out more secure email to customers.
"The challenge is getting customers away from blindly clicking on URLs," Diodati said. "It's very hard for a user to read a complicated URL and determine if it's from their bank."
Robert Weaver, head of IT security at ING Direct in the U.S., said the company constantly measures ways to build security that doesn't affect customer convenience.
"The industry is quickly moving in that direction of getting links entirely out of emails," Weaver said. "The problem is that there is a significant difference in the amount of click through. If it's right there and hot-linked it's a lot easier for the consumer to do it."
Weaver said pushing out statements to customers would be possible but it would take a costly investment in new infrastructure to secure the message. The procedure would not only involve sending out an encrypted email, but it would need a secure envelope and include a message delivery notification.
"It's more than just a run of the mill encryption on an attachment in the email," Weaver said. "It would take a lot more infrastructure. I don't want to have to build a whole secure email distribution service."
The Burton Group's Diodati said customers and financial institutions could benefit if banks distribute account statements via email. Consumers would get the convenience of storing the information securely on their computer and banks would see a cost savings since the process would become paperless.
He said he knows of at least one major financial institution considering a consumer-based PKI product to deliver statements to customers. PKI is a public repository that houses digital certificates used to verify authenticity of public keys. Joel Dubin, a Chicago-based independent computer security consultant said PKI technologies were known for their complexity but they are improving.
Diodati warns that this method of authentication comes with its own set of security issues. For example, an attacker could hack into an unattended computer, accessing a consumer's bank statements or other private data, he said. Also, many people access their email via POP3, which passes user credentials in cleartext.
"Anyone with a network sniffer along the path can grab the consumer's credentials and re-use them to access the consumer's emails," Diodati said in a blog entry on the issue at the Burton Group's Identity and Privacy Strategies blog.
Still, the FFIEC is not likely to issue specific guidance on sending statements via email, said Don Rhodes, director of risk management policy at the American Bankers Association. Rhodes said he believes the agency has intentionally not issued prescriptive guidelines, "because what works for a big bank might not work for a small one. The guidance gives banks the opportunity to develop an approach that suits their bank."
"I don't' think they're interested in being that prescriptive," Rhodes said. "That would be telling someone how to operate a branch and I don't think the agency wants to go down that road."
A recent survey by Cambridge, Mass.-based Forrester Research Inc. found content aware, policy-based email encryption on the rise. Thirty-two percent of U.S.-based companies said they deployed such email encryption technology to send sensitive messages to other customers and employees. The trend is being driven primarily by healthcare organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPPA). The survey was commissioned by email security vendor Proofpoint. It received 424 responses from companies with 1,000 or more employees.
Sill, the survey found that of those with such encryption capabilities, less than half of email that should be encrypted is actually sent in that form. Proofpoint spokesman Keith Crosley said the finding suggests there is still a great need for more advanced email encryption solutions in today's enterprise. He said using policy based encryption is still an expensive endeavor.
Crosley sees growth in the financial services industry, where there is a big concern about consumer financial data leaking into the wrong hands.
"Healthcare leads the way because there is such a big requirement," Crosley said, "but there's a big uptake in encryption for banks, retailers and online merchants."