Why It's Important: For financial institutions, providing online account access is necessary to meet consumers' expectations. Online account access also is the most cost-effective way to serve customers. However, online activity has become a major target for criminals, who steal consumer information to gain access to accounts and drain, transfer or otherwise manipulate funds. Businesses with an online presence not only may suffer financial losses from fraudulent activity, but also can experience severe reputational damage from mandated public disclosure of information breaches.
Where the Industry Is Now: News of compromised consumer data across the financial services industry seems to surface weekly. For instance, Scottrade recently disclosed that 140,000 customer records were exposed when one of its vendor networks was hacked, and ABN AMRO's Mortgage Group nearly lost 2 million records when a data tape shipped via DHL went missing but was later recovered. According to research from Mercator Advisory Group, other firms that disclosed data breaches in 2005 include CitiFinancial, Commerce Bancorp, PNC Financial Services Group and Ameritrade.
Further, 2005 saw an overwhelming increase in the direct targeting of consumers by criminals using phishing. The most recent data from Mercator indicates that between October 2004 and August 2005, the number of newly created phishing-related Web sites soared from about 1,000 to more than 5,000 monthly.
Focus in 2006: The Federal Financial Institutions Examination Council (FFIEC) has issued firm recommendations on implementing multifactor authentication technologies by the end of 2006, but stopped short of recommending a specific technology. There is no solution that will eliminate all threats against every business -- every firm offering online account access will need to assess its exposure and select a solution for its individual needs, with consideration of cost (to both the business and the individual user), convenience of online account access and ease of customer adoption.
Industry Leaders: Online brokerage E*Trade Financial currently offers password-generating tokens to all of its customers for a one-time $25 fee, or free to customers with more than $50,000 in E*Trade accounts. The tokens generate a new password for online account access every 60 seconds.
Banking giant Bank of America has implemented a service it calls SiteKey as a mandatory part of its online banking offering. The service relies on a user-selected picture and phrase, as well as three challenge questions, to authenticate the Web banking experience to both the user and the bank.
Technology Providers: The FFIEC recommendations have created a burgeoning technology market. Based on the preferred method of multifactor authentication, there is a vast array of vendors catering to the needs arising from the FFIEC. RSA Security is providing its SecurID tags to E*Trade Financial customers and is branding them with the broker's logo. Bank of America's SiteKey service is backed by technology from PassMark Security.
The Price Tag: The cost of implementing multifactor authentication largely depends on the technology and the size of the customer base. However, other factors will affect the bottom line, according to research firm Aite Group. Most solutions require support from software and services, there are rollout costs to consider, and the introduction of new technologies will lead to a notable increase in customer service call center volume. <<<