Banks To Upgrade Online Security

Responding to an order from federal regulators, U.S. banks have begun employing “two-factor” authentication, which must be in use by all banking institutions by the end of 2006. Credit card companies have for years used various types of authentication that go beyond passwords, but because losses to fraud in the banking industry have been less than the cost of implementing such measures, most online banking transactions still only require a name and a password. In October, the Federal Financial Institutions Examination Council, which includes regulators from groups such as the Federal Reserve and the Federal Deposit Insurance Corporation, said that banks must improve their online security by the end of 2006. Regulators will monitor banks’ efforts through periodic inspections. Two-factor strategies work by correlating a security measure such as a password with a secondary factor. The other factor might be a hardware token that includes another password, software solutions that generate one-time passwords, or a check to see where a user request originates. If, for example, a user logs in from the United States one day and Europe the next, the system might ask for further evidence of identity before allowing any transactions.

Wired News, 30 October 2005