Banks prove themselves to customers--and vice versa.PHISHING Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. ATTACKS--where hackers use look-alike sites to trick consumers into sharing confidential information--cost Americans nearly $3 billion last year by one estimate, despite efforts by financial institutions to educate consumers about the risks. Those companies are now trying to put technology into the hands--or computers--of their customers in an attempt to mitigate the losses. [ILLUSTRATION OMITTED] Zions Bank, with more than 130 branches across Utah and Idaho, decided that dual-factor authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. would allay al·lay tr.v. al·layed, al·lay·ing, al·lays 1. To reduce the intensity of; relieve: allay back pains. See Synonyms at relieve. 2. consumer fears of someone else accessing their accounts while mitigating the risk of an unauthorized user tapping into someone's account after stealing their credentials. Dual-factor authentication combines something you know--your username The name you use to identify yourself when logging into a computer system or online service. Both a username (user ID) and a password are required. In an Internet e-mail address, the username is the left part before the @ sign. For example, KARENB is the username in karenb@mycompany. and password--with something you have. In the case of Zions, it's actually something users and the bank have on their computer. [ILLUSTRATION OMITTED] Lee Carter Talmadge Lee Carter, (October 27, 1958 - ) is the current judge of the 25th Judicial Circuit of Alabama. He is one of two judges that serve the counties of Marion and Winston. Judge John Bentley is the other judge that serves the 25th Circuit. , president of online banking with Zions, says that their system (which they call SecureEntry) authenticates the bank to the user and the user to the bank. In the first case, when a user enrolls in SecureEntry, he or she chooses a photo icon from the site and a passphrase. "The purpose is that the next time they come back and log in, we will present that photo and passphrase to them so they can rest assured that they're at the right location" and not some fake site, Carter says. Also during enrollment, the bank drops a cookie onto the user's computer and collects some basic forensics See computer forensics. such as IP address (Carter declined to specify all the forensics being collected). When the same computer is used again to access the online bank account, the cookie and other forensics show that it's already been enrolled. In conjunction with the proper username and password, the bank can be reasonably sure that it's the real account holder and not somebody who simply stole those login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. credentials. If a different computer is used to access the account, that machine also must be enrolled unless it's a public machine such as in an airport kiosk; in the latter case, it can remain unregistered, but the bank will present a series of challenge questions before it grants access, and the user is locked out after three mistaken answers. "It's a strong authentication routine," Carter says. "It gets to the heart of a lot of automated attempts that we see pounding away at our login box trying to guess user-names and passwords. Now they may guess a username but they won't have been on that machine, so they won't successfully get through challenge or password questions." SecureEntry is built on a solution from PassMark, which was acquired last year by RSA (1) (Rural Service Area) See MSA. (2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. , the Security Division of EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. . Carter's biggest concern was that customers would find the solution hard to use and would flood the call center with questions. That hasn't happened, he says. Instead, only about two percent of enrolling customers called with a problem in most cases, the problem was that the customer had forgotten the answers to the challenge questions immediately after enrolling. Other banks are exploring the practicality of providing customers with USB flash drives See USB drive. that will hold information that serves as the second half--the "what you have" portion--of dual-factor authentication; that way, users won't need to enroll any particular machine. Asheem Chandna, a partner with venture-capital firm Greylock Partners, says that while use of this token-based technology will likely grow in importance in the future because it helps consumers to lock attackers out of their accounts, it has drawbacks. "The moment you talk about a USB token An authentication token that plugs into the USB port of a computer. See authentication token. or separate token for security, it's yet another piece of technology that needs to be inserted into somebody's hands, and that has cost, complexity, and rollout associated with it." He says the type of solution Zions is using is more likely to be used by financial institutions, at least in the near term because it requires little from users and helps them recognize a fake banking site. Carter says that the open architecture in the PassMark solution means that he can choose to provide some customers--say, those doing high-value wire transfers--with a token in the future, adding security to high-value transactions. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion