| Banking industry needs to tackle
account hijacking |
|
|
|
The second part of the PassMark Security's authentication
process involves making sure you're who you say you are. The company
does that by using various markers to create a database of device
information that enables a PassMark-protected site to identify your
computers, phones or PDAs. If something seems suspicious -- maybe
the attempt to access your account is coming from a device that
isn't recognized, or from an Internet provider you've never used
before -- the bank could ask the user for additional information
or refuse access.
Another option is biometrics -- physical characteristics such as
a fingerprint, retina scan or voice recognition. But that requires
additional hardware, which could be expensive.
Tokens are another possible solution. They are physical devices
that sometimes can be plugged into a USB port, which is a device
on your computer that lets you attach such things as a mouse and
printer to it. The token, in combination with your user name and
password, would give you entry to your account. Other tokens that
don't require a physical connection are battery operated and generate
a series of random numbers every few seconds. You'd log on to your
account and be asked for a user name, password and whatever number
is being generated at that time. Tokens can be carried on a key
ring, but they can also be lost.
Steven Gal of ID Analytics says two-factor authentication is an
important step, but it won't solve the problem.
"Do you want to issue key fobs to consumers? Do I get one
per account? Will I have a key ring full of fobs? In biometrics
there are privacy issues. Do I do my biometric at every bank? What
if it's a fraudster applying for second authorization so they can
get on your account? If I register my retina under your name, I'm
more you than you are. These measures are appropriate, but there
is a set of challenges under every one."
Gal's company focuses its efforts on preventing fraudsters from
using data once they've acquired it.
"We initially focused on applications for new credit and new
accounts. We look at identity elements and patterns and we can stop
a lot of (fraudulent) attempts. We're now moving heavily into account
hijacking. Don't let a transaction happen if it's risky. The person
can get in, but we're stopping them from changing an address or
transferring money. We trigger alerts that go to the institution:
This is a risky transaction, do further verification; and we recommend
steps to foil it."
While institutions sort out the possibilities, consumers can move
ahead and make every effort to protect their accounts. Your bank
or credit union should have information on its Web site regarding
online fraud. Find out what you're expected to do to protect yourself.
Understand how to report any fraud attempts or losses from your
accounts, and report them in a timely fashion.
The FDIC
also has a wealth of information about identity fraud, phishing
scams and what to do if you're victimized.
|
