The Federal Deposit Insurance Corporate (FDIC) this week released a study on phishing and account-hijacking. It is seeking comments on the study that it hopes to use to formulate guidance to bankers next year.
The FDIC cited a recent study which estimated that nearly two million internet users in the US experienced account hijacking during the 12 months ending April 2004. Of those, 70% do their banking or pay their bills on-line and over half believed they received a phishing e-mail. Many experts believe, says the FDIC, that the increase in identity theft will have the effect of slowing the growth of on-line banking and commerce.
According to the study released today by the FDIC, financial institutions and their regulators should consider a number of steps to help reduce online fraud, including:
The last three points were reflected in a recent report by Britain's Financial Services Authority which looked at how financial firms are managing their information security in the fight against financial crime, including phishing.
Perhaps surprisingly, the FSA did not consider the possible need to upgrade on-line authentication systems used by consumers, although it did make reference to the value of two-factor authentication for staff accessing corporate networks remotely.
Two-factor authentication – using a password the user remembers and another factor from a physical device such as RSA's SecurID token – could stamp out most of the problems with phishing.
With such a system, each account holder would be given a key fob-sized token which generates a unique code every 60 seconds. Each code is only valid for that user for that 60 second window.
The solution would require that banks require the security details to be entered once to access the account and again to make a transfer of funds. While an attacker could drive users to a bogus site into which they would enter their two-factor authentication details, with the same details being copied by the attacker at the same time to give him access the genuine site, his plan would likely be foiled when a transfer was attempted.
The main drawbacks appear to be cost and usability. While unit costs are just a few pounds for SecurID-type tokens, there is likely to be a large implementation and administration overhead. The token generators also present problems for consumers: tokens are new and unfamiliar technology for most people and, if they become standard, each individual could be required to carry and maintain a selection of tokens, one for each on-line account.