As deadline nears, banks toughen Net protections

["Richard M. Smith" <rms () computerbytesman com>]

http://www.boston.com/business/technology/articles/2006/12/29/as_deadline_ne
ars_banks_toughen_net_protections?mode=PF

As deadline nears, banks toughen Net protections


By Hiawatha Bray, Globe Staff  |  December 29, 2006

People who do their online banking with Cambridge Savings Bank will find it
a little harder to log on in the New Year. But bank executives don't think
the customers will mind. It's for their own good -- and besides, it's the
law.

A federal regulation mandating tougher online financial security measures
will take effect Monday. Banks, credit unions, and other financial
institutions must begin using enhanced technologies to protect customer data
against identity theft. Many of the nation's biggest banks, including
<http://boston.stockgroup.com/sn_overview.asp?symbol=BAC> Bank of America,
have already introduced "multi factor" authentication systems that go well
beyond the traditional user name and password approach to prevent Internet
fraud. Other smaller banks, which buy their online banking services from
independent contractors, are scrambling to meet the coming deadline.

Mark Tracy, senior vice president of back technology and operations at
Cambridge Savings, said his company has been testing its new authentication
system for the past two months, with help from customers who've agreed to
try it. "It's been pretty successful so far," said Tracy. "In January, we'll
be making it mandatory."

Cambridge Savings customers will receive a user name and password when they
sign up for the service. In addition, the first time a customer uses his
home or work computer to do some banking, the machine is given a unique
digital "fingerprint" associated with the customer's password. Whenever he
banks with that computer, the bank software checks his user name, password,
and computer fingerprint before processing the transaction.

If someone tries to log in from a machine that isn't fingerprinted, the bank
will send a confirmation message to the customer's e-mail address. A crook
who's stolen somebody's user name and password probably won't have access to
the victim's e-mail account, so he can't reply to the message, and won't be
allowed to log in.

Bank of America began using similar security technology last year. In
addition, the bank uses a system called SiteKey, marketed by
<http://boston.stockgroup.com/sn_overview.asp?symbol=EMC> EMC Corp. of
Hopkinton. SiteKey shields users from "phishers" who steal passwords by
running phony websites that resemble those of legitimate banks. SiteKey
prevents this by letting the user select an image -- say, that of a
typewriter --which appears on his screen whenever he logs into the real Bank
of America site. Phony websites are easy to spot because they don't display
the user's chosen image.

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.