The Federal Deposit Insurance Corporate (FDIC) this week
released a study on phishing and account-hijacking. It is seeking
comments on the study that it hopes to use to formulate guidance to
bankers next year.
The FDIC cited a recent study which estimated that nearly two
million internet users in the US experienced account hijacking
during the 12 months ending April 2004. Of those, 70% do their
banking or pay their bills on-line and over half believed they
received a phishing e-mail. Many experts believe, says the FDIC,
that the increase in identity theft will have the effect of slowing
the growth of on-line banking and commerce.
According to the study released today by the FDIC, financial
institutions and their regulators should consider a number of steps
to help reduce online fraud, including:
- Upgrading existing password-based single-factor customer
authentication systems to two-factor authentication.
- Using scanning software to identify and defend against phishing
attacks.
- Strengthening educational programs to help consumers avoid
on-line scams.
- Placing a continuing emphasis on information sharing among the
financial services industry, government, and technology
providers.
The last three points were reflected in a recent report by
Britain's Financial Services Authority which looked at how
financial firms are managing their information security in the
fight against financial crime, including phishing.
Perhaps surprisingly, the FSA did not consider the possible need
to upgrade on-line authentication systems used by consumers,
although it did make reference to the value of two-factor
authentication for staff accessing corporate networks remotely.
Two-factor authentication – using a password the user remembers
and another factor from a physical device such as RSA's SecurID
token – could stamp out most of the problems with phishing.
With such a system, each account holder would be given a key
fob-sized token which generates a unique code every 60 seconds.
Each code is only valid for that user for that 60 second
window.
The solution would require that banks require the security
details to be entered once to access the account and again to make
a transfer of funds. While an attacker could drive users to a bogus
site into which they would enter their two-factor authentication
details, with the same details being copied by the attacker at the
same time to give him access the genuine site, his plan would
likely be foiled when a transfer was attempted.
The main drawbacks appear to be cost and usability. While unit
costs are just a few pounds for SecurID-type tokens, there is
likely to be a large implementation and administration overhead.
The token generators also present problems for consumers: tokens
are new and unfamiliar technology for most people and, if they
become standard, each individual could be required to carry and
maintain a selection of tokens, one for each on-line account.
