Banks Test ID Device for Online Security

[R.A. Hettinga]

Okay. So AOL and Banks are *selling* RSA keys???

Could someone explain this to me?

No. Really. I'm serious...

Cheers,
RAH
--------


<http://www.nytimes.com/2004/12/24/technology/24online.html?oref=login&pagewanted=print&position=>

The New York Times

December 24, 2004

Banks Test ID Device for Online Security
 By JENNIFER A. KINGSON


or years, banks gave away toasters to people who opened checking accounts;
soon they may be distributing a more modern kind of appliance.

Responding to an increase in Internet fraud, some banks and brokerage firms
plan to begin issuing small devices that would help their customers prove
their identities when they log on to online banking, brokerage and
bill-payment programs.

 E*Trade Financial intends to introduce such a product in the first few
months of 2005. And  U.S. Bancorp says it will test a system, though it has
not given a timetable.

The devices, which are hand-held and small enough to attach to a keychain,
are expected to cost customers roughly $10. They display a six-digit number
that changes once a minute; people seeking access to their accounts would
type in that number as well as a user name and password. The devices are
freestanding; they do not plug into a computer.

Some banks, like  Wachovia of Charlotte, N.C., and  Commerce Bancshares of
Kansas City, Mo., already use these hardware tokens to identify employees
and corporate customers, and say they are evaluating the technology for
retail banking use. Others, like Fidelity Investments and  Bank of America,
are researching the matter.

"Every single major bank is considering it," said James Van Dyke, principal
and founder of Javelin Strategy and Research of Pleasanton, Calif., which
advises financial services companies on payments and technology issues.

 Although there are drawbacks in terms of cost and convenience - as well as
questions about what would happen if a customer lost the device or it were
stolen - there is growing pressure from bank regulators to add safeguards
of this type to online financial services. In a report last week, the
Federal Deposit Insurance Corporation, which insures bank deposits, said
that existing authentication systems were not secure enough and that an
extra layer of security should be added to the sign-in process.

"The financial services industry's current reliance on passwords for remote
access to banking applications offers an insufficient level of security,"
the F.D.I.C.'s report said. Two-factor authentication, which typically
includes a memorized password and a hardware security device, "has the
potential to eliminate, or significantly reduce, account hijacking," it
said.

To be sure, there are many ways to add the kind of security that the agency
is seeking, and any number of technology vendors eager to supply products.
The F.D.I.C. evaluated some possible alternatives, including smart cards,
which are plastic cards with embedded microprocessor chips; biometrics,
which identify people by their fingerprints, voice or physical
characteristics; and shared secrets, in which a customer is asked a
question that, in theory, only he or she could answer.

But the system that has so far taken root in the market is the one that
relies on number-changing hardware tokens, which have the shape and feel of
the plastic security devices that people click to unlock their cars.

Several large banks in Europe and Australia - including Credit Suisse,  ABN
Amro and Rabobank - already issue these tokens to customers, sometimes
making them bear the cost of the device. In the United States in September,
America Online introduced a program, AOL Passcode, that lets subscribers
buy the keychain device for $9.95 and use it for authentication purposes,
at a subscriber fee of $1.95 to $4.95 a month, depending on the number of
screen names linked to it.

Proponents of these devices are aware that they present other problems.
Financial companies are concerned about making online banking less
convenient and about adding fees for the hardware token. Customers with
accounts at several institutions may wind up with an unwieldy number of
tokens or swamp call centers with questions about the new systems.

Several foreign banks have made the tokens mandatory for online customers.
E*Trade, which is expected to be the first United States financial
institution to introduce the program for retail customers, will make it
optional and charge for the device.

Joshua S. Levine, chief technology officer at E*Trade, said the technology
seemed to provide the "comfort that most people want." And "when you have
your money at stake," he said, "you really want to feel comfortable."

E*Trade has been testing its program for the last two months, giving the
devices free to 200 interested customers. So far, the tests have attracted
customers with high incomes who conduct many transactions and tend to be
knowledgeable about technology, Mr. Levine said. "Based on the feedback
these customers have been giving us," he added, "we feel it will be very
successful."

 A hardware token is only one way to increase security. At E*Trade,
customers who want to conduct wire transfers must wait for a confirmation
number to be sent to their cellphones or personal digital assistants, then
enter that number to complete the transaction, Mr. Levine said.

 People who sign up for the E*Trade hardware tokens and lose them will have
to call customer service to authenticate themselves, he said.

U.S. Bancorp plans to try out a system involving hardware tokens that will
be based on technology from  VeriSign, the Internet security company. The
bank declined to add details.

 The urgency surrounding the issue is linked to an increase in "phishing,"
the practice of sending fraudulent e-mail messages en masse to bait people
into disclosing sensitive information. Newer scams involve "malware," which
can install itself on a computer through e-mail or pop-up ads, detect when
someone starts to use an online banking program or make a credit card
payment, and then record the person's keystrokes and capture account
details. The victims do not even have to do something foolhardy like giving
away account numbers or passwords.

"We're just seeing new stuff out there all the time," said Dave Jevans,
chairman of the Anti-Phishing Working Group, a coalition of companies in
financial services and information technology. But he added: "I don't think
people need to be any more scared than going to an A.T.M. at nighttime.
They need to be cautious; don't do silly things."

People who run antivirus software on their home computers, who have
installed firewalls to guard against incursions, and who take other
security precautions need not worry so much about the proliferation of
online threats, security experts say. But they add that these people are
probably not in the majority.

 Some bankers say they are leery about rushing to install new systems that
may not solve all the problems. Concerns over phishing have "provoked some
of the government agencies to come up with simple solutions to very complex
problems," said John Carlson, a former regulator with the Office of the
Comptroller of the Currency who is now a senior director at BITS, the
technology arm of the Financial Services Roundtable, a trade group.

"Consumer acceptance and ease of use are huge issues," he said.

At Wachovia, which offers both hardware tokens and digital certificates to
corporate customers, Joanne Young, the wholesale business manager for
e-commerce, says that the certificates are easier to use, although unlike
the tokens, they are not portable from one machine to another. When she
telecommutes, "I always have to find my hardware token on my computer at
home," Ms. Young said. "My kids are always moving it on my desk."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com