From CIO magazine. For the record, I, like the author, am a Bank of
America customer, but unlike her I've started using their on-line
services. What got me to do it was descriptions of the increasing
vulnerability of traditional paper-based mechanisms: If I pay a
credit card by mail, I leave in my mailbox an envelope with my
credit card account number, my address, a check with all the
banking information needed to transfer money - and probably a
bunch of other envelopes with similar information. Yes, I could
carry it to a post box or even a post office, but the inconvenience
is getting pretty large at that point. Meanwhile, the on-line
services have some unique security features of their own, like
the ability to send me an email notification when various conditions
are met, like large transactions.
-- Jerry
From: www.cio.com
What Banks Tell Online Customers About Their Security
- Sarah D. Scalet, CIO
May 29, 2007
By the end of 2006, U.S. banks were supposed to have implemented "strong
authentication" for online banking - in other words, they needed to put
something besides a user name and password in between any old Internet
user and all the money in a customer's banking account.
The most obvious way to meet the guidance, issued by the U.S. Federal
Financial Institutions Examination Council (FFIEC), would have been to
issue one-time password devices or set up another form of two-factor
authentication. But last summer, when I did a preliminary evaluation of
security offerings at the country's largest banks, I was pretty
unimpressed. (See Two-Factor Too Scarce at Consumer Banks
http://www.cio.com/article/113750/.)
Since then, I've given up on getting a one-time-password device,
and have accepted the fact that banks are instead moving toward what
might diplomatically be called "creative" authentication.
(See Strong Authentication: Success Factors
http://www.csoonline.com/read/110106/fea_strong_auth.html.) Given that
man-in-the-middle attacks can circumvent two-factor authentication, a
combination of device authentication, additional security questions and
extra fraud controls doesn't seem like a bad approach.
But, I wondered, almost six months past the FFIEC deadline, what are
banks telling customers about online security? As the chief financial
officer of Chateau Scalet - and as a working mother about to have baby
No. 2 - I wanted to know if any of them could offer me enough assurance
that I would take the online banking plunge as a way to simplify my
life. I decided it was time to update my research from last year.
I called the call centers at each of the top three banks, identified
myself as a customer with a checking and savings account, and told them
I was interested in online banking but concerned about security. The
point, yes, was to see what type of security each bank had in
place. More than that, however, I wanted to see how well each bank was
able to communicate about security through its call center. After all,
what good is good security if you can't explain it to your customers?
Here's what I learned. Citibank My first call was to Citibank. I started
with my standard question: "How can I be assured that my online banking
transactions are secure and private?" The call center rep said that
Citibank uses 128-bit encryption, which "verifies that you have a
maximum level of security." End of answer. Pause. I asked what kinds of
protections Citibank had in place for making sure that it would really
be me logging onto my account. "I'm sorry," he said, "but I don't
understand your question."
We had a language barrier, he and I. The call-center rep, in India, was
not a native English speaker. The call went poorly, and I have no way of
knowing whether this was because of our communications barrier or simply
because Citibank hadn't instructed him how to answer questions about
security. I repeated my question a couple times, and he finally said,
"Let me look into that, ma'am." I waited on hold more than a minute, and
when he came back, he told me I could go online and read all about
online banking. "All the information is there, ma'am," he said politely.
I kept prodding. I asked if Citibank offered tokens or did device
recognition of some sort, and he told me I could log on with a user name
and password.
"At any computer where I punch in my user name and password, I'll have
full access to my account?" I asked.
"Yes, ma'am, anyplace you have Internet access," he answered. He finally
did say that in certain situations I would be asked extra security
questions, but he wouldn't or couldn't explain when that happened or
why. I asked if it was unusual for him to field calls about security,
and he said yes. I finally ended the call in frustration. Chase Next I
called Chase. This time I got a woman in Michigan, who at least didn't
try to shunt me off onto the Internet - well, at least right away. But
she seemed to interpret my every quest
