The FDIC has published an update on precautions its insured banks should be taking to fight Internet fraud.
According to FDIC, user names and passwords should be supported in Internet banking transactions with new and better ways of identifying real customers from fraud artists trying to "highjack" bank accounts, the FDIC update said.
The new findings supplement an FDIC study issued in December, 2004 about ways to fight "phishing" scams, in which criminals send fraudulent e-mails to trick consumers into providing confidential financial information that can lead to illegal access to bank accounts.The supplement reviews and responds to public comments that the FDIC received about the original study, identifies the most recent trends in identity theft, and discusses a variety of new technologies that could be used to make Internet banking more secure.
The FDIC said it has concluded that the risk assessment financial institutions are required to perform regarding information security also should address customer authentication. The supplement also said that if an institution offers Internet banking, it has an obligation to properly secure that delivery channel. This extra level of security for online accounts, often referred to as "multifactor authentication," would be used in addition to traditional passwords. These new security features may include "tokens" issued to customers that generate new passwords every 60 seconds, software that can identify the computer that a customer uses to access online accounts, or contacting a customer by phone to make sure that he or she is the one attempting to access the account.
The FDIC and other federal banking agencies are expected to issue guidance this fall to insured financial institutions about improving the security of customer authentication methods. The latest FDIC findings are expected to be considered in the development of that guidance.
"The FDIC does not intend to propose one solution for all, but the evidence...indicates that more can and should be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking," the supplement said. It added that consumers are concerned about online security and may be receptive to using a new form of authentication "if they perceive it as offering improved safety and convenience."
