All Banks should be better protected against fraud and identity theft. Financial institutions Ц brokerages, banks, credit unions Ц must add an extra layer of security for high-risk transactions, such as account access and money transfers. A simple name and password combination will no longer be sufficient for most types of transactions.
Federal Financial Institutions Examination Council (FFIEC) is an organization of five financial industry enforcement agencies:
the Board of Governors of the Federal Reserve System,
the Federal Deposit Insurance Corporation
the National Credit Union Administration
the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
The rules are leading to a scramble by banks to purchase security technology. It has also resulted in a surge of sales in identity and access management compliance products. IDC estimates the market shot up 78% in 2006, worldwide, with about half of that growth in the U.S. market.
The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.
There are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.
The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.
For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.
Kind of extra security
Banks may turn to hardware-based authentication, such as a smart card or token that can be plugged into the user's USB port. But that is a high-cost, high-maintenance option best suited for high-end customers.
At the lowest-cost end of the spectrum, banks might try to add a second password requirement. But that won't satisfy the FFIEC mandateguidance, according to experts.
Also banks may use software programs that monitor user behavior and compare it to a profile of past behavior to look for anomalies. Such risk-based monitoring tools watch things such as the type of computer normally used, the user's IP address, typical account activities, etc. Only if a user does something odd does the system ask for additional authentication.