Network News

X My Profile
View More Activity

Longer Logins at Online Banks?

Last week, the Federal Financial Institutions Examination Council issued a report recommending that banks tighten up their online-login procedures. The council's guidance says "single-factor authentication" -- where you only need to provide one piece of data, such as a PIN or password, to log in -- is "inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

Instead, this report (a PDF file) suggests that a second layer of authentication be employed in these cases.

The report's appendix lists a few interesting possibilities. Banks could ask customers to produce a second bit of information (for instance, by answering a preset question after logging in, or by correctly identifying a previously designed image out of a gallery of other graphics). Customers could be required to plug in a USB token or smart card, or submit to some form of biometric identification (such as a fingerprint scanner).

My guess is that only the first idea -- asking customers to produce some other data that only they would know -- will work in practice. It doesn't require customers to use any other hardware, nor does it add measurably to the login process.

But as my colleague Brian Krebs (for whom I'm filling in today and tomorrow) wrote back in August, banks might do better by simply continuing to make proper use of the protective encryption already built into Web browsers in a way that makes it easier for their customers to know when they're on a legitimate site.

-- Rob Pegoraro
Washington Post consumer technology editor

By Brian Krebs  |  October 19, 2005; 1:23 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft's Auto-Update Too Slow?
Next: Help Me Test a Spyware Solution


I was impressed recently when my bank (E*TRADE Bank) offered RSA encryption keys to customers for use in addition to passwords. The keys, which have five digit numbers that change every 60 seconds, are even free for customers who meet minimum balance requirements. I can see all banks utilizing this level of security in the future to give customers piece-of-mind in an era where identity theft, pfishing and on-line scams are so prevalent.

Posted by: Concerned On-Line Banking Customer | October 19, 2005 2:45 PM | Report abuse

No one, I am sure -- least of all depositors -- would be opposed to tightened security. As in the "war on terrorism," however, we ought to ask if the measure being implemented does in fact achieve the goal being sought, or if it only makes communication a lot more difficult. Consider my experience with INGDIRECT, whose apparent implementation of the second suggestion -- use of validating images -- has now deprived me of the opportunity to earn the market-beating interest rates they offer. But the issue is not simply one of having access to the same rates as every one else. I am blind. Internet banking is not a simple convenience, but a remarkable way by which I can independently keep track of my account and assure that transactions charged against my account are accurate. The idea of using "images," or of rapidly changing characters for signing into my account creates another -- and as your suggestion of readily available encription suggests -- a wholly unnecessary roadblock for the likes of me. By all means, banks should insist on personalized log-in information, but exclusively visually-derived information is not the way to go.

Posted by: Fort Knox | October 19, 2005 3:02 PM | Report abuse

It seems that RSA key fobs with a constant-changing number that you enter as part of the login process are the way that's catching on. The extra-question method you mention (pet's name?) is really just equivalent to a longer password, and provides very little in the way of additional security against keystroke loggers and the like. And the other alternatives you mention require specialized hardware that could be expensive and won't be available when you're trying to bank from somewhere other than your home computer.

The idea is to require information from something you have (preferably without requiring a hardware connection), not just to add something else you know to the password already required. A low-tech possibility is a card with a grid of numbers and letters that you'd be required to consult to answer a question that's part of the login process.

Posted by: KCinDC | October 19, 2005 4:22 PM | Report abuse

I have recently returned from working in The Netherlands and one of the larger banks there, ABN-AMRO, has a very good approach to its on-line banking. In addition to using the usual encrypted (SSL) web connections, the bank sends you an 'e-thenticator' that consists of a small keypad and display. You insert your ATM card into this device and it reads the smart-card on the ATM-card. In order to log in to the system or to confirm payments or transfers (up to about $100,000) you are asked to enter a numeric code into the device (afer validating with your PIN). The device responds with a 6 digit numeric code that you enter into the web screen. Fast, secure, and in 4 years I've never heard of anyone having a problem -- in order for the system to be compromised a thief needs 1) your ATM card with smart-chip (personal to you), 2) your ATM card pin (personal to you) and 3) an e-thenticator device (generic, but available only to ABM-AMRO customers).

You then need to enter your ATM pin into the device.

Posted by: Andrew | October 19, 2005 4:30 PM | Report abuse

Yes, that works fine if you have one primary institution. How well does this work for the individual with accounts at multiple institutions. Quite a big key chain you are going to need.

Posted by: The Other Side | October 19, 2005 5:15 PM | Report abuse

I agree that the RSA key fobs are the way to go. We use them at my workplace for VPN access. Given all the security problems reported these days, I won't do anything but "read-only" online banking until I can get an RSA token generator for my bank account.

Posted by: Dave | October 19, 2005 6:32 PM | Report abuse

We recently finished a paper on using SVMs to recognize splogs:

Pranam Kolari, Tim Finin, and Anupam Joshi, SVMs for the Blogosphere: Blog Identification and Splog Detection, TR-CS-05-13, Computer Science and Electrical Engineering, University of Maryland, Baltimore County, 8 October 2005.

The paper compares results using different feature sets for the task of splog recognition as well as some other simple tasks. We've submitted this to the AAAI Spring Symposium on Computational Approaches to Analyzing Weblogs.

Posted by: Tim Finin | October 19, 2005 7:17 PM | Report abuse

I am in total agreement with the plan to increase the security for online banking. I for one have been a victim of someone trying to access my account through my bank. It's horrifying that people will so this in this time and age. However, the uses of external devices to access a bank can make things more limited. For example, if im away from my primary PC, and I need to do a transfer on my account from another PC, I would not be able too. The idea acts as a "double-edge" sword, in which that parts of this plan can benefit, but also limit our ability to use the feature.

Posted by: CCinAnnapolis | October 20, 2005 9:34 AM | Report abuse

This issue has continued to confound me. My atm card, also a debit card, which could be copied if ever used (I don't) is the account number for logon. Then an additional 4 digits provides security? 500 guesses doesn't take all that long, considering the money. But more hardware, while more secure, will not work for most people until all machines (libraries, airports, etc) all have readers for them, the extra hardware is as easy to carry and use as a key, and you can link multiple accounts to one key (standards anyone?)

Posted by: concerned about ID Theft | October 20, 2005 9:59 AM | Report abuse

My bank here in Barcelona, La Caixa, has always had a two-layered approach to online banking. You enter an 8-digit online ID no. and a 4-digit PIN on the Web site (both generated at random by the bank's system) to access your account info. Then to perform any transaction, you must enter an authorization PIN. Recently, they've improved the system by issuing a personal authorization PIN card to all online users. The card lists 60 authorization PINs, numbered from 1 to 60. When you want to complete an online transaction, the system asks you at random for one of the PIN numbers, for example "Enter PIN No. 46." You then have to find that PIN on your personal PIN card, which only you and the computer knows (no one at the bank has a record of it) and enter it accordingly. So, for someone to commit a fraudulent transaction, he or she would have to have your 8-digit ID no., your online PIN, and access to your personal 60-PIN authorization PIN card, which you treat care like a credit card (cancelling it if stolen, etc.).

Posted by: Barcelona | October 20, 2005 11:53 AM | Report abuse

Great discussion above! My company eMarketer today published a report on Online Banking Customers, and one of our conclusions is that customers are seeking stricter online security.

Read the press release here:

Posted by: Dave Murrow | October 20, 2005 12:14 PM | Report abuse

Having used the RSA key fob/token system it wouldn't bother me at all to use it to log on to my bank. I'd even be willing to pay a few dollars a year for the increased security.
Presently, when I can, I use a pass phrase of at least 32 characters using all four types (upper case, lower case, special symbols and numbers) of characters. It would be simpler (and I'd feel just as secure) using the token system with a PIN). And of course there are those sites (not my bank, thankfully) that won't let you use all the character types and some of those even limit the number of characters you can use.

Posted by: Frank S. | October 20, 2005 4:24 PM | Report abuse

For >5 years we have used online banking through Dollar Bank, a small regional bank based in Pittsburgh.
They have continuously impressed me in their security practices and have required multi-factor authentication for several years. Following successful User ID and password logon, we have to correctly respond to one of three rotating questions. Not completely fool-proof against a sophisticated key-logger, but pretty good and easy to use.
Now I'm just waiting for them to step up to the 256bit AES encryption that the Firefox browser can handle.

Posted by: Cleveland, OH | October 27, 2005 7:49 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company