Get the LinuxSecurity news you want faster with RSS
Powered By
Banks test ID device for online security
Source: news.com - Posted by Vincenzo Ciaglia
For years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable.
The devices, which are handheld and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer.
Some banks, like Wachovia of Charlotte, N.C., and Commerce Bancshares of Kansas City, Mo., already use these hardware tokens to identify employees and corporate customers, and say they are evaluating the technology for retail banking use. Others, like Fidelity Investments and Bank of America, are researching the matter.
"Every single major bank is considering it," said James Van Dyke, principal and founder of Javelin Strategy and Research of Pleasanton, Calif., which advises financial services companies on payments and technology issues.
Although there are drawbacks in terms of cost and convenience--as well as questions about what would happen if a customer lost the device or it were stolen--there is growing pressure from bank regulators to add safeguards of this type to online financial services. In a report last week, the Federal Deposit Insurance Corporation, which insures bank deposits, said that existing authentication systems were not secure enough and that an extra layer of security should be added to the sign-in process.
