Jump to content

Quick navigation: Deposit accounts Credit cards Brokerages Other bonuses Referral exchange



Photo
- - - - -

Is better login security worth spent time?


  • Please log in to reply
6 replies to this topic

Poll: Are additional security measures to protect online banking login necessary? (12 member(s) have cast votes)

Are additional security measures to protect online banking login necessary?

  1. Yes (5 votes [41.67%])

    Percentage of vote: 41.67%

  2. No (3 votes [25.00%])

    Percentage of vote: 25.00%

  3. I am not sure (4 votes [33.33%])

    Percentage of vote: 33.33%

Vote Guests cannot vote

#1 markber

markber

    1 billion bucks

  • Admin
  • 15,047 posts

Posted 19 October 2005 - 09:16 AM

IPB Image

It looks like we all will have to spend more time logging into our bank accounts soon (see article below). I have been banking online since Compubank times and have never had a problem with unauthorized access to my accounts (and I have had a lot of them). May be I am the lucky one. However, I wonder how big the difference between Feds additional security measures (e.g. hardware token) and a meteorite insurance is. How big is a likelihood that a person, who actually applies brain efforts to distinguish phishing emails from real ones, pharming websites from real ones, will experience unauthorized access to his bank account during his lifetime?



QUOTE
By BRIAN BERGSTEIN, AP Technology Writer
Tue Oct 18, 7:29 AM ET



BOSTON - Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.

Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.

In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.

Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.

Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.

The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.

The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.

The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.

While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.

But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the     Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.

"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."

FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.

Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.

VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.

In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.

At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."



Source: http://news.yahoo.co...anking_security



#2 ABOUTBENS

ABOUTBENS

    Member

  • Members
  • 27 posts

Posted 19 October 2005 - 07:47 PM

It may not be "necessary," but I voted yes because it could be worth the time spent. It's really only a few seconds more to login with an additional security measure, so why not do it? Would we rather vote for "fewer" security measures in place? A lot of people (including my sister and mother) are still to fearful of banking online. I try to convice them that it is "safe," but haven't gotten them to try it yet. If additional measures were in place, people like my sister and mom might be more likely to try online banking. Or maybe not, but I still don't think spending a few more seconds to login to my accounts is a depravation of my time.



#3 scottjm

scottjm

    Senior Member

  • Members
  • 54 posts

Posted 19 October 2005 - 08:03 PM

I voted yes, Am nervous with online accounts. I will never fall for a phishing scheme, I don't answer anything online and if it's real figure someone from the bank will eventually call. I subscribe to two different credit monitoring services that would alert me in minutes if any credit was opened in my name but there is not much in the way of banking protection available. Still trying to determining your liability if your account is hacked. Did notice a statement on an online agreement that said something about them not being liable for unauthorized use of your password and user ID



#4 scottjm

scottjm

    Senior Member

  • Members
  • 54 posts

Posted 21 October 2005 - 02:30 PM

Wow, 4 votes. Seems security not a big issue. Should be as I read a couple million accounts a year have had sort of fraudulent usage. Phishing was the main culprit but keylogging has been a growing problem. Not worried about phishing and only safeguard I know of for keylogging is by keeping up to date on Firewall and Virus protection, Plus I type password really fast blink.gif
Found there is protection for us under Federal Regulation E.


Below shows some of it points:

What's covered
Any transfer initiated through an "electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account." These include point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds, transfers initiated by telephone, and transfers resulting from debit card transactions, whether or not initiated through an electronic terminal


Consumer liability
When a debit card or other "acccess device" is lost, such as an online banking password, consumer liability is capped at $50 for those who notify banks within two business days. Consumers who notify the bank within 60 days have their liability capped at $500. After 60 days, if the consumer doesn't inform the bank, any charges which occur become the consumers' responsibility. If no access device is lost, and fraudulent charges mysteriously appear on a consumer's account, the liability clock begins when the bank notifies its customer of the activity, usually through regular monthly statements.



#5 jrr7

jrr7

    Member

  • Members
  • 19 posts

Posted 21 October 2005 - 05:20 PM

QUOTE(markber @ Oct 19 2005, 04:16 AM)
It looks like we all will have to spend more time logging into our bank accounts soon (see article below). I have been banking online since Compubank times and have never had a problem with unauthorized access to my accounts (and I have had a lot of them). May be I am the lucky one. However, I wonder how big the difference between Feds additional security measures (e.g. hardware token) and a meteorite insurance is. How big is a likelihood that a person, who actually applies brain efforts to distinguish phishing emails from real ones, pharming websites from real ones, will experience unauthorized access to his bank account during his lifetime?


Here's what I know:
  • Some people have no business being on the Internet, let alone doing banking online.
  • There are always going to be thieves out there who support themselves through fraud. (It would cost society too much to hunt them down, and plus, new thieves are minted every day.)
  • If one particular method of fraud becomes difficult for thieves, they just move on to another one.
  • Most thieves are lazy enough that they don't steal excessive amounts of money. The others go into politics or become CEOs.
  • People who have their money stolen online will be less likely to bank online in the future.
  • There are virus writers out there who will sell control over virus-infected PCs to anyone for the right price.
Here's what I conclude:
  • Universally implementing two-factor will initially reduce the amount of fraud related to phishing.
  • Some people who would have had their money stolen and would have stopped banking online will continue to bank online.
  • The lazy thieves will initially move on to more lucrative pursuits.
  • The smarter thieves will start buying access to compromised computers and move on to more advanced tricks that are more difficult to detect, and which two-factor does nothing to stop. (man-in-the-middle, dns poisoning, arp poisoning, routing table poisoning)
  • As a result, ordinary, non-stupid people will be more likely to have their bank accounts compromised, and it will be harder to trace the criminals.




#6 scottjm

scottjm

    Senior Member

  • Members
  • 54 posts

Posted 24 October 2005 - 10:47 AM

Got this email from BOA yesterday. When I clicked on it's link it brought me to a very real looking BOA site and asked to update all sorts of info. Looked official but I highly doubt a bank would ask for this info by email. Sent it to abuse department at BOA but no response from them, when I tried to click on it again this morning a warning came up from AOL telling this link is now blocked as they feel it is phishing. Kind of strange that AOL seems to be looking out for me better than the bank it's self Anyone else get it?
-------------------------------------------------------------------------------




Confirm Your Account Informaion

As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts.

You are requested to visit our new site, and fill in the required information.

Click here.

This is required for us to continue to offer you a safe and risk free environment to send and receive money online and maintain the experience.You have 2 days to enter required information or your bank account will be locked.

Did You Know That We Update Our Systems? You can confirm account information, order checks and more online. Confirm Account Information




--------------------------------------------------------------------------------

Because your reply will not be transmitted via secure e-mail, the e-mail address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please Confirm Account Information and visit the customer service section.




--------------------------------------------------------------------------------

Bank of America, N.A. Member FDIC. Equal Housing Lender
© 2005 Bank of America Corporation. All rights reserved



#7 stmdqmw

stmdqmw

    New Member

  • Members
  • 2 posts

Posted 19 November 2005 - 04:20 AM

i pretty sure that email was not from bank of america. If there was a problem with your account they would probaly send a secure email in online banking







Stats