Bank of America Corp., which is facing a lawsuit over its online security, plans to introduce stronger authentication for its employees and for corporate customers.
B of A plans to use Unified Authentication software and services from VeriSign Inc. of Mountain View, Calif. Rhonda MacLean, B of A's corporate information security executive, said Thursday that it plans to have the system in place for internal systems this summer and for corporate customers in the late fall or early winter.
By signing the deal with VeriSign last week, the Charlotte company is "raising the bar, so that people do have a sense of confidence using online services," Ms. MacLean said.
The VeriSign system offers something that, according to analysts, very few U.S. banking companies offer customers today: two-factor authentication. The term refers to a system that couples a standard password with additional technology, such as a physical device that plugs into a computer port or a computerized unit that generates ever-changing log-in numbers on a digital display.
Analysts said B of A's plan to install the system could be a harbinger of a broader movement in the industry.
"Other banks will definitely follow this example," said Sophie Louvel, an analyst at Financial Insights Inc., a Framingham, Mass., research unit of International Data Group Inc. "There's no question."
Regulators have been urging the industry to tighten online security. The Federal Deposit Insurance Corp. said in December that banks should consider upgrading password-based systems and using more sophisticated software to detect suspicious account activity. The agency asked for comments on its effort to slow "account hijacking."
Other companies, in financial services and other industries, are also beefing up security.
E-Trade Financial Corp. of New York is testing a password-generating token device but has not offered it to customers outside the test group. Stanford Federal Credit Union of Palo Alto, Calif., uses PassMark Security LLC's system, which puts identifying files on an online banking customer's computer, so that a certain customer must access the site from certain computers. America Online Inc. of Dulles, Va., sells password-generating tokens to its customers, who must then pay a subscription fee for the added security.
B of A certainly had reason to consider strengthening its online security. On Feb. 3, Ahlo Inc. sued B of A over the unauthorized transfer of more than $90,000 from the corporate account of Joe Lopez, Ahlo's owner, to Parex Bank in Riga, Latvia.
Ms. MacLean said she could not comment on the suit, but a B of A spokeswoman said the suit did not prompt the VeriSign deal.
However, analysts say the deal addresses a problem at the heart of the suit.
"The thief definitely stole the user's credentials with this malware, the Coreflood virus," said Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc. The virus, a keystroke logger, can collect any typed information, including online banking passwords.
If a second factor of authentication, such as a password-generating token device or a smart card, were in place, "the situation would have been prevented altogether, because the thief wouldn't have stolen the token," Ms. Litan said.
"This could happen to any bank," she said.
In an e-mail, B of A said that in Mr. Lopez's case, "all of the account and personal information required to complete the transaction was provided, and all appropriate security steps took place."
