FDIC: What's good for banks is good for e-gov
Report says better authentication will help combat ID theft
The agency that insures U.S. bank deposits says electronic banking has outgrown the single-factor password authentication most often used to protect accounts, a finding that could affect e-government initiatives.
A study released earlier this year by the Federal Deposit Insurance Corp. concluded that 'account hijacking is now a small but growing problem for financial institutions and consumers, and conducting financial transactions online may place consumers at risk.'
The twin problems of identity theft and account hijacking are growing concerns not only because of the direct cost of fraud to banks and consumers'estimated in the billions of dollars'but also because they erode confidence in the online infrastructure on which the economy increasingly depends, FDIC concluded.
Securing users' access to accounts and services is also at the heart of efforts to promote e-government.
In its report, FDIC recommended two-factor authentication for logging onto accounts.
Companies selling online security tools are pleased with the recommendations.
'I was delighted that they came to the same conclusion we have,' said Dan Burton, vice president of government affairs for Entrust Technologies Inc. of Richardson, Texas.
'They are validating what we've known for a long time,' said John Worrall, vice president of worldwide marketing for RSA Security Inc. of Bedford, Mass. 'The economics of having consumers bank online is enormous, and organizations need to take measures if they are to retain and build confidence.'
But the mechanics and economies of deploying strong authentication to online consumers are not trivial. 'Something that only 0.1 percent of your customers will use is not going to save you any money,' said Chris Voice, Entrust's vice president for product marketing. 'You are not going to be able to deploy a hardware token to millions of people.'
The government is focusing on federated identity management to enable strong authentication. This would let agencies accept digital certificates issued by trusted third parties, without requiring the government to go into the business of issuing certificates or putting them on smart cards.
The growth of online banking and electronic transfers is fueling the growth of ID theft through scams such as phishing. Phishing, a fraud in which victims are conned with phony e-mail and Web sites into divulging personal information, was a major focus of the study.
FDIC itself has been the subject of at least six phishing attacks in the last year, the latest in September when victims received e-mail purporting to be from FDIC and directing them to a site where they were to enter account information.
Phishing works because financial institutions require inadequate user authentication and the Internet lacks e-mail and Web site authentication, FDIC said.
Authentication factors generally are something the user:
- Knows: A password or personal identification number
- Has: A hardware token or a digital certificate
- Uniquely possesses: Biometric factors such as fingerprints, for example.
Any of these can be combined for stronger two-factor authentication. Passwords are so well accepted that they are likely to be part of any two-factor scheme.
These schemes require some infrastructure on the back end and distribution of hardware or software to the end user.
Regardless of the scheme used, improved security and authentication are needed for the continued growth of online commerce and e-government, FDIC said.