Phishing, the act of extracting secret data through cleverly designed faux Web sites, is still raging despite declarations by some well-known security experts earlier this year that its popularity as a hacking tool would wane. Instead, it's morphed into more inventive scams and found new victims. In addition, hackers also continue to snatch identities and funds by hijacking domain name servers, carrying out man-in-the-middle attacks and installing Trojan horses or keystroke loggers through spyware, worms and viruses.
To help reduce this type of crime, the Federal Financial Institutions Examination Council (FFIEC), an umbrella group of U.S. regulators that includes the Federal Reserve and the Federal Deposit Insurance Corp., recommended that banks increase their online security by 2006. In August, it published a set of guidelines for banks to improve customer authentication methods (particularly for new customers), secure the delivery channel for electronic transactions and supplement username and password logons with multifactor authentication methods.
And they couldn't come at a better time. The FTC reports that both identity theft and Internet-related financial fraud is steeply rising, with formal complaints climbing from 161,896 in 2002 to 246,570 in the last year. Many of these attacks originate in countries in Eastern Europe and Africa, making it difficult for the authorities to find and prosecute the offenders.
All the while, banks push customers to go paperless and switch to online banking. But with lawsuits like the one against Bank of America in February still looming, consumers continue to question if the convenience is worth the risk. In that lawsuit, Miami businessman Joe Lopez wants to recoup $90,000 from Bank of America Corp. because hackers captured his online banking credentials and moved his money to a Latvian bank.
That is not to say that such guidelines will make it easier for the likes of Lopez to sue banks when their funds go astray. "I imagine the banks will adopt contracts that have many of the same characteristics as the software vendors and thrust to burden of security onto the consumer," says Reid Skibell, a lawyer specializing in Internet security law at Davis Polk & Wardwell in New York. "Firstly, they will put some disclaimers in their contract such as you have to change your password regularly."
Solutions a go-go
All of this is good news for the security vendors, of course, who are suggesting everything from "pennies-per-customer" software using graphical passwords to $40-per-user keychain dongles that generate a new password for each transaction. For example, Santa Clara, Calif.-based startup Bharosa Inc. offers Authenticator, a low-cost product that encrypts passwords when they are entered in the browser using soft tokens and graphical passwords.
We are incredibly paranoid... We have even had hackers call our own customer service lines to get password resets and we have had to develop quite sophisticated scripts to deal with them.
Meanwhile, at the other end of the spectrum is RSA Security Inc., which provides $20 to $40 tokens that generate a new password for each logon. Another company called Diversinet Corp. in Toronto sells software that uses a cell phone or PDA as the physical token. The user enters a PIN and the device relays a message to a back-end security application.
Prudent corporations already are implementing the FFIEC recommendations well ahead of the 2006 deadline. Citadon Inc., a Web collaboration and project management company based in San Francisco, is already offering Bharosa's soft token products to clients such as Shell Oil Co. and General Electric Co. as well as its banking customers.
"We are incredibly paranoid about user authentication," says Howard Koenig, CEO of Citadon. "We have even had hackers call our own customer service lines to get password resets and we have had to develop quite sophisticated scripts to deal with them."
Numerous other vendors also are aligning their products as FFIEC compliant. PassMark Security Inc. uses the customer's computer as a second factor authentication by verifying its IP address with Bank of America's SiteKey services. SiteKey provides the user with pre-agreed phrases and an image. PassMark Security uses the customer's computer as a second factor authentication and is working with Bank of America on its SiteKey service.
"New customers will write a brief phrase during the registration process," says Betty Riess, a spokesperson for Bank of America. "When they log on, they see the image that they selected, which tells that they are on the BoA Web site (and not a man-in-the-middle) and they choose their phrase which verifies their identity." Furthermore, users logging on from a new computer are issued a series of challenge questions to prevent fraud.
Bharosa and companies such as StrikeForce provide server-side software that examine a machine's IP address and physical location and connection speed. StrikeForce's software also gives the bank the option of placing a call to the user's cellular phone to authenticate the transaction.
Other vendors include TriCipher, which splits the credential information between the user, their access device and the bank's server making it difficult for hackers to intercept all information simultaneously, and Verid, which quizzes the individual to verify their identity.
As with the flood of solutions that followed other data-security regulations like SOX and HIPAA, options are many. This is intentional, according to the Federal Reserve, which had a hand in FFIEC's creation.
"We issued guidelines and a timeframe of 2006, but we did not want to be overly prescriptive because the technology industry moves too fast," said Andrew Williams, a spokesperson with the Federal Reserve.