FDIC says better authentication is needed to combat ID theft

FDIC says better authentication is needed to combat ID theft

The agency that insures U.S. bank deposits is concerned about the growth of identity theft and the ability of thieves to gain access to financial accounts.

Although reliable statistics are difficult to come by, a new study from the Federal Deposit Insurance Corp. concludes that 'account hijacking is now a small but growing problem for financial institutions and consumers, and that conducting financial transactions online may place consumers at more risk.'

Not all financial account hijacking is done electronically. Low-tech techniques such as Dumpster diving and shoulder surfing can compromise security. But the growth of online banking and electronic transfers is fueling the growth of identification theft through scams such as phishing.

'The increasing access to alternative electronic payment systems means an increasing number of access points to financial institution systems,' each a potential security breach, FDIC said.

The study said electronic banking has outgrown the single-factor password authentication most often used to protect accounts; FDIC recommended a shift to two-factor authentication. It also recommended that banks use scanning software to identify potential phishing or other attacks, and improve information sharing within the industry and with government.

FDIC will accept public comments on the report via e-mail through Feb. 11.

Phishing, a fraud in which victims are conned by phony e-mail and Web sites into divulging personal information, was a major focus of the study. FDIC itself has been the subject of at least six phishing attacks this year, the latest in September when victims received an e-mail purporting to be from the commission and directing them to a site where they were to update account information.

Phishing works because of inadequate user authentication by financial institutions and because the Internet lacks e-mail and Web site authentication.

The predominant scheme for e-mail authentication now is Sender ID, which uses a published record of valid IP addresses within an e-mail sender's domain. But this has not been accepted as an industry standard and is not yet in wide use.

Stronger user authentication is more immediately achievable, using a technology such as tokens, smart cards or biometrics in conjunction with passwords. Of these technologies, FDIC rated USB tokens as highly effective and the easiest to implement, because they work with most current computers. Smart cards and biometrics require additional readers.

Within biometric technologies, fingerprints received the highest rating from FDIC, as more effective than face, voice or keystroke recognition technology.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group