Observers say that most banks met the Federal Financial Institutions Examination Council's requirement that customers use more than just a username and password for access to online banking.
Since bankers were not required to have stronger authentication in place at the start of the year — they only had to demonstrate progress toward the goal — it could be hard to pinpoint when the true impact of the requirement began. TowerGroup Inc., a Needham, Mass., independent research firm owned by MasterCard Inc., found that by October, 80% of U.S. banks had met the requirement for online banking, and another 15% were very close to meeting it.
Wachovia Corp. put its antifraud system last year and found that this year fraud dropped 9% in the online channel, though the number of phishing attacks against Wachovia rose 255% from last year. One reason for that increase is that fraudsters have to make more attempts if they hope to break through the defenses, the Charlotte company said.
Wachovia's approach is not fully visible to the end user. Rather than asking for one-time passwords or making other changes in the login procedure, it monitors the user's behavior, picking up on details such as the Internet protocol address to see whether the person trying to log in is the actual customer.
"That's worked very well for us," said David H. Stone, Wachovia's senior vice president for online customer experience. "We've seen that we are stopping a lot of fraud from occurring for our customers, a lot more than we previously had."
Though Wachovia's method is not intrusive, its customers are aware of the extra steps it has taken, he said. "Our customers seem to be pleased with the additional security that we've done."
The company further strengthened its online security system in the third quarter by adding challenge questions for certain transactions, such as moving money to an account at another bank. It uses "out-of-wallet challenge questions," such as previous addresses.
The Charlotte company plans to continue to fortify its security, because fraudsters have not been deterred, Mr. Stone said.
"That traffic has not seemed to have slowed at all due to the FFIEC guidelines," he said. "I don't think the volume" of online fraud attempts has slowed. "I think we've gotten better at fighting and preventing it."
George Tubin, the senior analyst at TowerGroup who tracked the rate of compliance with the FFIEC mandate, said that the effect has been noticeable.
Preliminary results show "fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication," he said. That estimate is based on anecdotal observations, he said, because many bankers are reluctant to share their fraud rates. (Many banking companies contacted by American Banker would not comment for this story).
Wachovia said part of the reason its fraud rate dropped by a lower percentage than Mr. Tubin's nationwide estimate is that it beefed up its security far in advance of the FFIEC's deadline, so it was already observing a drop in online fraud last year.
"The fraud numbers have gone down," Mr. Tubin said. "Not that they were runaway before, but they have gone down."
