Bank Technology News | December, 2009 | John Adams
BTN: There are still holes in online banking protection, according to Javelin Strategy & Research, which says lots of banks are still using long passwords and very rudimentary information for authentication purposes.(Editor's Note: Long passwords don't work. Either does the 20 questions approach. It doesn't matter if online banking customers were required to type the entire book, "War and Peace by Tolstoy" into a box on a bank website and then answered 20 questions about quantum physics...everything can easily be keystroke logged by hackers...
it's the typing that provides the online banking credentials to the fraudsters...not the length of the password nor the number of questions asked.
Another words, fraudsters could cut and paste your password and username as easily as I cut and pasted this article from BTN) Online Banking customers MUST use a hardware device which encrypts their log-in details outside the browser space so the bad guys get gobbly-gook if they intercept. The good news is the same is true for online shopping with credit/debit/prepaid cards and bank's can derive recurring transactional income for each purchase made with a HomeATM device. Furthermore, "card not present" fraud is eliminated with our device and CNP fraud is the fastest growing threat facing online shoppers.
At the end of the day, banks ensure a secure online banking session and make money each time their customers use our device. Throw in revenue derived for real-time bill pay, instant money transfers (any bankcard to/from any bankcard) and the ROI would be a couple transactions. Add to that the competitive advantage gained by offering a secure solution in the face of weak authentication and it can make for a pretty formidable marketing/branding strategy...one that induces customer loyalty AND makes money. Last time I read an article on Bank Technology News about online banking, their editor said "it's dead."
Online Banking is Dead - Bank Technology News Editor-In-Chief
"Among the protective measures that should be in the dustbin are authentication data such as birthdays, email addresses and zip codes, since it's information that's very easy for fraudsters to predict or obtain. Yet it's still used by about 20 percent of online banking sites. The percentages are low, but given the use of zip codes and email addresses as authentication pieces were outed as a bad idea years ago, any remaining use of these metrics is a surprise. Also, a quarter of banks still require passwords longer than six digits, considered a no-no in an age of usability. And only about 25 percent of banks reduce data exposure by truncating social security numbers during enrollment.
Javelin additionally found that 90 percent of banks user generic error messages when a log in attempt fails, and 10 percent still display information that can be used in a “brute force” attack. James Van Dyke, president of Javelin, said it was surprising that so many banks overlook this potential vulnerability. He says a cross-site scripting flaw on a customer-facing Web site could allow crooks to access the internal network or insert counterfeit content along with legitimate content on a site and redirect customers to a fraudulent third party site.
Javelin reviewed the websites of 24 financial institutions, including Banco Popular, Bank of America, Bank of the West (BancWest), Branch Banking and Trust Company, Capital One, Citibank, Fifth Third Bank, Golden One Credit Union, HSBC Bank, ING Bank, JPMorgan Chase, M&I, M&T, NFCU, PNC, RBS Citizens, Regions, Sovereign, SunTrust, Synovus, TD Bank, US Bank, Wells Fargo, and Zions. The firm did not identify specific institutions, presenting its results in aggregate."
Definitely, I agree with you there is a lot to improve in banking system.
Chase Online Banking