When West Georgia National Bank in Carrollton began requiring its online banking customers this year to change their passwords every 45 days, some customers balked and closed their accounts.
“Customers told us, ‘It’s my personal information. I should be able to choose whether or not I want to do this,’ ” said Bill Barker, the bank’s vice president of systems and technology.
Nevertheless, the bank will continue to require the password changes to thwart fraudsters who have obtained account data by phishing. Regular changes reduce the time in which phishers can use a stolen password to gain access to an account.
“Even though we’ve drawn some negative responses from customers, it’s in their best interest to require this,” said L. Leighton Alston, the president and chief executive of West Georgia’s holding company, the $511 million-asset WGNB Corp. “We’re trying to do everything we humanly can to prevent intrusions, because there’s no greater asset to protect than the information in our computers.”
Banks that require customers to regularly change their password say the practice not only reduces the chance of fraud, but also gives customers an added sense of security.
Others, however, say the benefits are not worth a possible customer backlash against the inconvenience. Instead, some banks have implemented other measures that they say are more effective, such as multifactor authentication tools, or software to detect out-of-the-ordinary transactions.
According to the nonprofit Anti-Phishing Working Group, 14,135 phishing attacks, in which hackers use bogus e-mails or software to obtain personal information, such as bank account passwords, were reported in July. Just 176 attacks were reported in January of last year.
JupiterResearch, a division of Jupitermedia Corp. of Darien, Conn., says fraudsters obtain personal information in about 4% of phishing attacks.
West Georgia requires frequent password changes because its regulator, the Office of the Comptroller of the Currency, recommends the practice — though it is not required. The Federal Deposit Insurance Corp. is accepting public comments to determine whether to issue similar guidance. Other regulators have not issued any formal guidance on the practice.
R. Kinney Williams, a bank information technology auditor in Lubbock, says regulators have gone too far in their zeal to recommend forced password changes as a best practice.
“The regulators definitely think banks ought to be training the customers, but what do you do when you have customers that don’t care?” Mr. Williams said. “If a customer wants to share his password with everyone in his world, I don’t know how the bank is going to stop him, unless they just go out and shoot the customer.”
Consumer advocates have mixed reactions to forced password changes. Gail Hillebrand, a senior attorney for Consumers Union in San Francisco, says it needs to be done, even though it is an inconvenience.
But Linda Foley, the executive director of the Identity Theft Resource Center in San Diego, said the practice could backfire.
“I think it opens the door for more problems,” Ms. Foley said. “People aren’t going to remember their new passwords, and they may write them on something that’s not protected at all, like their Palm Pilots.”
Banks should let customers choose whether to change their passwords periodically, Ms. Foley said.
M&T Bank, a unit of the $54 billion-asset M&T Bank Corp. in Buffalo, does just that. Customers who logged on to the online banking site on or after June 18 were required to replace their four-digit password with one that had at least eight characters, including upper- and lower-case letters. The customers were also given the option of changing their password every 30, 60, 90, 180, or 365 days, or not at all.
“Some customers were actually suggesting that we should require password changes,” said Robert Y.K. Leong, the M&T vice president of electronic banking. “We also know of many customers who would never want to change their password, so we wanted to accommodate as many customers as we could.”
Jan Southard, a senior vice president of information technology at the $1.2 billion-asset Sonoma National Bank in Santa Rosa, Calif., said it recommends to its online banking customers that they voluntarily change their passwords, but the bank does not force customers to do so, for fear it would create too much dissatisfaction.
Eric Hemmings, a bank IT auditor with Witt Mares PLC in Norfolk, said that even though forced changes could help reduce fraud, banks have to weigh any extra costs. “People forget passwords and call the bank to get them, so if 3 million customers call, that’s a lot of phone calls.”
Bank of America Corp. does not require regular password changes, but in June it began rolling out a verification system called SiteKey. Customers logging on to the Charlotte company’s online banking site after SiteKey is implemented in their market will first choose an image, write a brief phrase, and select and answer three questions about things like their first car, their favorite color, and the name of the street where they first lived.
In subsequent visits to the site, customers are presented their pre-selected image and phrase, to confirm the site is not a bogus one created by phishers. If a customer uses a computer other than the one used to select the questions, SiteKey will require the customer to answer them, to verify the password is not being used by a phisher.
Asaf Buchner, a research director in Jupiter’s New York office, says forced password changes and multi-factor authentication systems like SiteKey help reduce fraud, but they do not stop it altogether. Phishers can still dip into an account if they have installed a program called a Trojan horse on the customer’s computer, he said.
“A Trojan horse allows the fraudster to watch over everything you do on your computer, so the fraudster can now piggyback onto your online banking session” and transfer money out of the account while the customer is logged on to the site, he said.
Banks should look into new software that alerts them when there have been out-of-the-ordinary transactions in an account, so the customer can be contacted to verify the legitimacy of the transactions, Mr. Buchner said.
Cyota Inc. in New York and Fair Isaac Corp. in Minneapolis have started offering such software. Naftali Bennett, Cyota’s CEO, said the threat of the more sophisticated Trojan horses is just emerging, but he predicts that the programs will become just as popular as phishing, if not more.
Mr. Buchner said a bank should employ as many defenses as it can to minimize fraud, as well as to assure customers that it is doing everything it can to secure their personal information.
In the end, though, banks need not worry that customers will abandon online banking, he said. “There’s still more fraud taking place offline than online. People have been robbing banks since the beginning of time, and people are still putting their money there.”
