When you log in to your online banking account, you presumably know that you are yourself. But how does your bank know you’re you and not an unauthorized family member, friend or hacker trying to gain access to your account?
The answer involves something called authentication technology, or methods to identify a computer’s user, and it’s about to get more sophisticated thanks to new federal guidelines that require banks to be more diligent about their online banking security.
Most of the changes will happen behind the scenes, but bank customers might notice a few tweaks as well, according to Cary Whaley, vice president of payment and technology policy at Independent Community Bankers of America, a banking industry group in Washington, D.C.
“Consumers have to be sensitive, and I think they are, to the fact that banks are extremely concerned with making sure it’s them doing the transaction and not somebody else,” he says.
The new guidelines for banks were issued in June 2011 as a supplement to regulations originally promulgated seven years ago by the Federal Financial Institutions Examination Council, or FFIEC, an interagency group that prescribes uniform principals, standards and reports for federal bank examiners.
According to “Supplement to Authentication in an Internet Banking Environment,” a FFIEC document, the new guidelines include the following.
- Reinforce expectations that financial institutions should perform periodic risk assessments.
- Identify controls that are now less effective, given that the online banking environment has become more “hostile,” to use the FFIEC’s description.
- Identify minimum elements that should be part of banks’ consumer awareness and education efforts about banking online.
The risks of online banking fraud are real. More people are using these services. And more online fraudsters are using more sophisticated, effective and malicious methods to perpetrate their crimes, the FFIEC says. Organized criminal groups have been identified as well, and some now specialize in financial fraud, using kits of automated “attack tools” that can be downloaded from the Internet.
Banks that make substantive changes to their security protocols may send new terms to their customers, Whaley says.
That will create opportunities for both customer education and fraud, the FDIC says. The concern arises because scammers took advantage of the original guidance issued in 2005 to try to trick bank customers into “enrolling” in new security measures.
Simple isn’t sufficient
Banks have used simple identification technologies, such as usernames, passwords and computer cookies (small files that websites store on users’ computers for identification purposes), for many years. But now more sophisticated techniques are expected to be employed for banking online, Whaley says.
“Simple authentication — a password and username — is just not sufficient enough to protect,” Whaley says. “That’s a good starting point, but you need more.”
Among other possibilities, the newer techniques are likely to include the following.
- Complex device identification such as PC configuration (how a computer is set up), Internet Protocol, or IP, address (a unique number that identifies each computer connected to the Internet) or geolocation (the identification of a device’s physical whereabouts in the real world).
- Challenge questions for which the answers can’t easily be found online through Google or social media.
- Nonsensical questions designed to confuse anyone other than the authorized user.
Implementation of enhanced controls should make online banking more secure, according to Greg Hernandez, a spokesman for the Federal Deposit Insurance Corp. in Washington, D.C.
Still, Hernandez says most unauthorized bank account access occurs not as a result of a weakness in the bank’s security system but due to malware, or malicious software, installed on the consumer’s computer.
That means consumers shouldn’t rely solely on the bank’s technology but also be vigilant on their own when banking online to ward off financial cyber crimes.
“The most important thing consumers can do to protect themselves is to practice safe computing at home,” Hernandez says. “They should use a firewall and anti-virus/anti-malware software and keep it updated. They should be on the lookout for suspicious emails and avoid suspicious websites. They should not click on links contained in suspicious emails or download software from questionable sources.”