After urging customers to make their computers safer, ING and other banks have decided to do the job for them.
"Most bank sites are secure," said Rudy Wolfs, the chief information officer for ING Bank FSB, but the consumer side "has more variables that are beyond the bank's control."
Those variables include the growing threat of spyware and keyloggers, which can monitor anything a computer user types.
Anti-virus and firewall software is easily available, but consumers may be unwilling to spend the money or unable to install it or update it properly.
ING, of Wilmington, Del., a unit of ING Group NV of Amsterdam, said Monday that under a new login procedure it will start using soon, it hopes to foil keyloggers by preventing its own customers from entering their PINs through a keyboard.
Instead, the ING Web site will display a number pad on the screen, and people will use their mouse to click on the numbers. ING's U.S. accounts are accessed through a three-stage process: customers must enter a customer number, enter a separate PIN number, and answer a security question.
Even if customers are confident their computers are secure, ING is not, Mr. Wolfs said.
"We're not allowing the numeric PIN to be keyed in," he said. "The key is to reduce the number of components" a criminal can exploit.
ING began notifying customers of the new system by e-mail on Friday. It did not say when the system will go into effect.
Citigroup Inc. is using a similar system in the United Kingdom. The Web site displays a full keyboard and asks people to click on letters to enter their passwords to log in.
Adrian Russell, who heads media relations for Citi's Europe, Middle East, and Africa businesses, said he did not know whether the company plans to add this feature in the United States.
"It is designed to make logon more secure generally than its predecessor keyboard log-in," Mr. Russell said by e-mail, "and in particular to help combat the threat from keyboard logging software."
Jacob Jegher, a senior analyst for the Boston market research firm Celent Communications LLC, said that "the vast majority of the American public may think they have taken the necessary steps" to keep their home computer secure, "but in fact they have not."
Even people who take all the right steps can fall victim to viruses created after their last anti-virus update, he said. "If you're down by just a day, you could be vulnerable."
And even when fully updated, "a large number of those softwares will actually not stop keystroke loggers," Mr. Jegher said.
Banks should keep reminding consumers about these dangers, he said, but they also have to "take matters into their own hands" as ING, Citi, and others have done.
Gloria Chance, the director of online service excellence at Wachovia Corp., said consumers must "become more educated, and that's tough."
The Charlotte banking company has polled its customers to find out what security measures they are willing to use and what they understand about security, Ms. Chance said.
"We have to make the assumption that not all home systems are equal," she said. "Not all customers will have the same security measures on their systems."
Education initiatives can only do so much, she said. They "won't necessarily influence customers to spend more money to upgrade" their security software.
Many people do not even recognize the threat posed by online fraud, Ms. Chance said. "You'd be surprised at the number of customers that may not be aware of phishing and other things that occur."
Wachovia has considered distributing firewall and anti-virus software to customers, she said, but "right now our stance is that we ask them to seek that out on their own."
Wachovia said in July that it was considering one-time passcode-generating tokens, which could protect systems infected with keylogger viruses. The tokens would provide users with passwords that expire once they are used to log on to a bank's Web site.
Other banks are already using tools that can protect customers whose systems may be harboring a keylogger. E-Trade Financial Corp. of New York offers customers one-time-password tokens from RSA Security Inc. of Bedford, Mass.
Ameritrade Holding Corp. uses software from WholeSecurity Inc. of Austin to quickly scan customers' computers for active viruses when they access its systems, though this approach will not spot viruses that are not running when the user logs in.
Arcot Systems Inc. of Sunnyvale, Calif., has developed its own security software that is similar to ING's, though it has no bank customers using it now. Doc Vaidhyanathan, Arcot's vice president of product marketing, said software that disables keyboards can be vulnerable because "just like capturing the keystrokes, somebody could capture mouse-clicks."
Arcot's software moves the digits around; a criminal might be able to monitor where someone is clicking but would not be able to link those locations to the numbers on a PIN-pad displayed on the screen, Mr. Vaidhyanathan said.
For example, he said, "it's not clear where the number 6 will be. It's scrambled each time."
