While often taken for granted, username/password procedures are one of the most fertile areas for improving perceived and actual security.

In general, we are under whelmed with the U.S. banking industry’s approach to password protection. With so much on the line, both with consumer perceptions and actual monetary losses, most financial institutions need more rigorous password protection, especially dealing with new user authentication, password resets, and large bill-pay requests. See the results of our tests at 14 financial institutions.

Part of the challenge is to educate users about effective password strategies. You don’t want the same username/password combo used at the bank and www.Sk8ter.com . But you can’t rely on education alone. Help users protect themselves with appropriate password requirements and fraud-monitoring tools. See Tables below for more ideas.

Banks also need to keep up with the tricks of each new browser release. Of the 14 financial institutions we tested, 5 neglected to disable Internet Explorer 6’s AutoComplete function on login forms, a moderate security flaw. AutoComplete allows the browser to remember usernames and/or passwords for each site.¹ Offering this choice is like giving customers the option of inscribing their PIN on their ATM card.

Security Flaw: Charter One failed to disable Internet Explorer’s AutoComplete function on its login page.

¹Note: Internet Explorer on your office PC may have been pre-configured with AutoComplete disabled for all forms, so you may have to use Internet Options to enable AutoComplete prior to testing your forms.

Table 1

Username/Password Vulnerabilities

Source: Online Banking Report, 4/03  *See defenses  in Table 10 below

Table 2

Security Defenses

A.       Require additional password or static challenge question to move money out of the account

B.       Disable IE AutoComplete

C.      Send new password via email or snail mail

D.      Require ATM card number and PIN for reset

E.       Geolocation screening (only works if thief is in a different geographic area than victim)

F.       Rotating challenge questions to move money out of the bank

G.      Require unusual characters to be used in username or password

H.      Require the username or password contain bank-specific info or social security number; have bank assign username and/or password

I.         Manually authorize all new bill pay merchants with a minimum 48-hour wait period for first payment; for new ACH accounts, require proof of ownership by sending two debits to the account, then having user report back with the amount of the debits

J.        Lockout after 10 unsuccessful login attempts

Source: Online Ban king Report, 3/03

Table 3

Making Passwords/Usernames Harder to Crack

• Require at least one number and one alpha
• Require a special character such as # or !
• Require a number between the alphas
• Use social security number as username*
• Do not allow passwords to match or be a subset of usernames or other personal info such as soc number, date of birth, name, etc.
• Recommend that passwords be unique and not used at other Web sites, especially less secure non-banking sites
• Require passwords to be changed periodically
• Do not allow one-step password resets either online or over the phone; insist that the new password be sent via email or snail mail (no exceptions!)
• To foil a thief with physical or remote access to the user’s machine and/or email; when resetting, disguise the new password sent via email, e.g., your temp password is the last four digits of your soc number plus the two letters of your mother’s maiden name

Source: Online Banking Report, 3/03

*May be discouraged or not allowed by regulators

Although the online banking industry has been lucky to have had relatively few online thefts, it’s only a matter of time before every financial institution experiences online banking fraud, probably a lot of it. Just this month, PayPal was again hit with a large-scale email fraud, the same type of attack experienced by Bank of America last year. No word on monetary losses, but unless the hackers were just showing off, they likely scored thousands of dollars. See the back page for more information.

To protect yourself, and make users feel more comfortable, we recommend an additional password or challenge question(s) to move money outside the bank, via bill payments, money orders, foreign exchange, wire transfers, and ACH transfers. To improve ease-of-use, dollar thresholds could be established, even controlled by users, so that the additional password was required only above certain dollar thresholds (e.g., $500 in a 24-hour period).

Another way to defeat fraudulent bill payments and transfers is to use authorization algorithms similar to credit cards. Unusual transactions would be challenged online or held pending authorization from the account holder. Following is a simple two-dimensional matrix to illustrate the concept:

Table 4

Bill Pay Transaction Authorization

extra authentication for various transaction amounts

Source: Online Banking Report, 3/03

Legend:                    Description

Defunct CompuBank (purchased by NetBank in 2001) was the first bank we’d seen with an additional password (dubbed Fed Wire PIN) in front of outbound monetary transfers including ACH, wire, and bill payment. Recently, we noticed Hibernia has adopted a similar process (screenshot below).

 Even from within its password-protected Web banking area, Hibernia requires a “transaction password” to move money out of the bank.

Table 5

Beyond the Password

Additional authentication techniques for high value transactions, account changes, new payees, etc.

• Extra password
• Secret “challenge” question
• Email/VRU confirmation
• IP check: Additional authentication required if access attempted from out-of-area or unknown IP address
• Previous access check: Additional authentication required if access attempted from a new machine (cookies track known locations)
• Delayed access to online bill pay: New users must wait several days for access to online bill pay; during that time a letter would be sent to the customer confirming the request (Charter One
  uses this approach)

Source: Online Banking Report, 3/03

The problem with more robust password schemes is they inevitably make your Web banking program harder to use and can increase customer-support costs, especially at first. The challenge is striking the right balance, something each financial institution must determine based on their customer-service resources, risk aversion to fraud, and how tolerant/paranoid their customers are. Another possibility is requiring stronger security for accounts with higher balances. Table 14, right, provides a qualitative rating of various password schemes.

Regardless of how easy or difficult you make your password requirements, people will forget, often. PayPal provides some useful hints when an incorrect password is entered.

Table 6

Password Ease-of-Use Scorecard

Source: Online Banking Report, 3/03

*May be discouraged or not allowed by regulators

The main drawback of more rigorous password protection is the added cost, both in dollars and aggravation. This can be mitigated with automated online reset procedures that make it relatively painless for users to retrieve forgotten passwords. But reset security must rely on a shared secret, NOT the social security number. For banks, we like resets with ATM card number and PIN which are easy to use and secure.

One online banking irony, luckily something we’ve not seen in the popular press, is the added vulnerability of the 60% to 80% of customers not using online banking. Consumers usually cite security concerns when explaining why they don’t bank online. What they don’t realize is that they are often more vulnerable to online theft by not using the system. Why? At many banks, identity thieves can sign up for online access by knowing the customer’s name, address, checking account number, and social security number (SSN). Except for the SSN, all this info is on most paper checks. And the SSN is readily available on the black market.

You should take every precaution against this type of attack. It’s a potential PR nightmare which could result in your conservative, high-deposit-balance customers questioning the safety and soundness of your entire operation. You can virtually eliminate this type of fraud by sending initial usernames through the mail or requiring ATM card number and PIN for initial authentication. To foil a determined thief who may be stealing snail mail, send a followup letter a few days later confirming the new online access.

Another technique is to allow non-users to “lock” their account against online access. Any application for online access would be denied pending contact with the customer to verify the request to “unlock” their account.

As mentioned above, new accounts are your biggest authentication vulnerability. But these new users are also the least likely to understand why you’re torturing them with authentication procedures. But good security and ease of use don’t have to be mutually exclusive.

For example, Charter One uses a process similar to that outlined in Table 16 at right. New users get immediate read-only access to their data using their ATM card number and PIN. Those wishing to move money out of the bank via bill payment are required to pass a more exhaustive authentication and wait a few days for activation.

Table 7

Behind-the-Scenes Safeguards

• Third-party technology/security audits of vendors
• Good internal controls for authenticating new users and requests for password resets
• Staff education on the perils of identity theft
• Zero tolerance for insider fraud (you will go to jail!)
• Damage-control plan for your first publicized online fraud occurrence (it WILL happen)
• Bill-pay requests authorized like credit card charges based on size of transaction, time of day, IP location, size/type of transaction, type of merchant address (P.O. box or PMB number), recent changes in merchant address, recent change in consumer address, user history, etc.
• Customers contacted regarding unusual activity
• New payees verified, especially those receiving large payments
• Monitor new accounts and those with recent address changes for suspicious activity
• Rigorous authentication of change-of-address requests, even those received from someone claiming to be a bank employee
• Scrutinize new or little-used bill-pay merchants suddenly receiving payments from multiple users (could be sign of internal theft)

Source: Online Banking Report, 3/03

Table 8

Secure Quick-Start Online Access

1.       Existing ATM customers can look at their data online (read-only) immediately by logging in with account number and ATM PIN (personal identification number).

2.       User has the option to change username
and/or PIN

3.       Bank sends snail mail confirmation with a bank-generated password to access transactional functions, such as bill pay and funds transfer.

4.       Upon receipt, users log in with username, PIN, and bank-generated password.

5.       After the initial login, the extra password requirement could be eliminated or kept with the user given the option of changing the bank-generated password to something easy to remember.

6.       If users forget their username/password, they could revert back to read-only access by following steps 1 to 5

Source: Online Banking Report, 3/03