Recent statistics show that not only do the problems of phishingand online fraud continue to mount, they are potentially taking adangerous new direction - an increased use of "malware" programsdesigned to steal logins and passwords. With these trends, it is nowonder that the Federal Financial Institutions Examination Council(FFIEC) struck back against online fraud in October. The Councilissued guidance aimed at eliminating reliance solely on singlefactor passwords for online banking. Financial institutions areexpected to achieve compliance with the guidance no later thanyear-end 2006. The risks to online transactions themselves areconstantly evolving. While phishing remains a serious threat,fraudsters are expanding the use of software programs broadlycalled "Trojans," after the famous Greek attack on the city ofTroy. Like the soldiers in the mythical gift horse, Trojan programsslip in quietly and unseen. The programs and their passwordstealing malicious code hide behind innocuous looking Web contentlike song lyrics, screensavers or cheat codes. While this contentis often designed to appeal to children and teens that may sharethe family PC, the Trojans programs themselves target credit union,bank and broker login information - IDs, passwords and other commonauthentication tools. The Anti-phishing Working Group recentlyreported a significant increase in such programs identified onpeoples' PCs, up more than two-fold since April alone. As furtherproof, antivirus software leader Symantec recently announced thatviruses designed to capture confidential information made up threequarters of the top 50 viruses, worms and Trojans during the firstsix months of 2005, up from 54% in the last six months of 2004. Thefinancial damages continue to mount as well. FBI data shows thenumber of Internet-related credit card crime reports rose 66% in2004 and the average reported loss associated with the online scamstripled to $2,400 from $800 in 2003. The FFIEC is now requiringfinancial institutions take specific actions to confront thisserious problem. The guidance document, "Authentication in anInternet Banking Environment" of October 12, 2005, describesenhanced authentication methods that regulators expect financialinstitutions to use when authenticating the identity of customersusing their online products and services. In a clear statement thatpasswords alone are no longer adequate protection, the guidancestates, "The agencies consider single-factor authentication, as theonly control mechanism, to be inadequate for high-risk transactionsinvolving access to customer information or the movement of fundsto other parties." Some have argued about what constitutes"high-risk transactions," but as the statistics above show,anything online is "high-risk." As a leading provider of onlineauthentication today, we have been talking directly with thearchitects of the FFIEC guidance and the examiners who will enforceit. They have made their intent clear. They consider any access tonon-public customer data as a high-risk element of online banking,just as defined by the Gramm Leach Bliley act. The guidance alsotells financial institutions what they expect them to do."Financial institutions offering Internet-based products andservices to their customers should use effective methods toauthenticate the identity of customers using those products andservices. . . . Account fraud and identity theft are frequently theresult of single-factor (e.g., ID/password) authenticationexploitation," it says. Any ambiguity as to the intent of thislanguage has been put to rest at recent industry conferences.Spokespersons representing the FFIEC and its agencies have beenstating explicitly that they expect broad deployment of two-factorauthentication backed up by additional layered security to protectboth the viewing of customer data and transactions by the year-end2006 deadline. The FFIEC also presented some criteria by which tojudge success, stating, "An effective authentication method shouldhave customer acceptance, reliable performance, scalability toaccommodate growth, and interoperability with existing systems andfuture plans." This makes it clear the examiners and its affiliatedagencies expect real action that both solves the problem and iswidely used by consumers. This makes scalability and ease of usevery important qualities of any successful strategy to improveonline security. While credit unions and banks may not be veryexcited about having to implement more security because of newregulations, there is a much more critical reason for stepping upto this problem - customer confidence. A new study published thismonth shows customers are losing confidence in the online channel,confidence that must be restored so it can continue to grow.Research conducted by independent research firm InfoSurv Inc. foundthat 18% of all respondents have decreased their use of onlinebanking or have stopped banking online completely in the past 12months due to concerns regarding the security of their onlineidentity. And customers appear to be ready to reward those who takeonline security seriously. According to new research from UnisysCorporation, 45% of consumers worldwide are willing to switch tofinancial institutions that offer more security protection. Basedon the personal experiences of our executives, at Intuit withQuicken and Turbo Tax and with PayPal, these surveys ring true.Time and again experience showed that engaging the customers withkeeping their data safe improves their confidence in your solutionand increases their loyalty to your product.

Complete your profile to continue reading and get FREE access to, part of your ALM digital membership.

  • Critical information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including and

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.