THE CHALLENGE: The rising incidence of account hijacking and identity theft has created a challenge for financial organizations that want to secure their data, but still allow clients and staff to conduct transactions online. Two-factor authentication may provide a solution.
E*TRADE Financial has always been seen as a leader when it comes to online brokerages, and it has raised the bar once again, becoming the first firm to roll out two-factor authentication to consumers through a new digital security ID offering. Rather than simply type in a user ID and password to access online accounts, E*TRADE clients can now sign up for a security token, a device that can attach to a key chain and displays a fresh six-digit number every minute. Users simply tack the number on the end of their passwords when signing in to their accounts to gain access.
The device foils perpetrators who manage to steal passwords and IDs because the sign-in process cannot be completed without the numbers generated by the security token. Since the randomly generated numbers constantly change, it is virtually impossible to hack an account protected with two-factor authentication.
Josh Levine, E*TRADE's chief technology officer, says the decision to provide investors with enhanced security was a no-brainer. "As you accumulate wealth, do you want the only thing between you and your money to be a user ID and password that anyone can steal off your desktop?" he asks. "We want to deliver what we feel is the best security. Our mission is to make sure that your money is safe and your information is safe," he continues. "We want to help our customers do that on their desktops ... so they feel secure at home or work."
Levine says the secure token means users can access their accounts from any Internet connection - at an airport kiosk, for example - without worrying about security protocols.
Two-factor authentication is getting more attention as online fraud increases and becomes a burden to online commerce. The Federal Trade Commission estimates that more than 10 million Americans have been victims of identity theft at a cost of $50 billion to the economy. And a December 2004 survey by Cambridge, Mass.-based Forrester Research found that 25 percent of online consumers say e-mail fraud has stopped them from applying for a financial product online.
That spells trouble for financial service firms, which are increasingly seeking to do business online. And it's not just the consumer channel that's at risk - corporate networks also are subject to attacks, and that's prompting firms to deploy two-factor authentication within the enterprise.
"We are using two-factor authentication today primarily for corporate-oriented customers," notes Paul Smocer, chief information security officer at Mellon Financial Corp. in Pittsburgh. He says Mellon uses two-factor authentication for "large, sensitive transactions."
"We have two-factor authentication with some of our processes," says Robert Garigue, chief information security officer at BMO Financial Group in Toronto, which operates the online brokerage BMO InvestorLine. Mostly, it's at the corporate level, he says, but "the lines of business are looking at that right now."
When it comes to dual-factor authentication at the corporate level, most companies use a smart card that is swiped through a card reader. Added security could include a pin number that has to be input at the same time.
Is It Safe?
But, "Is dual-factor authentication the silver bullet that some are making it out to be?" Mellon's Smocer asks. "It doesn't necessarily prevent ID theft in the broader sense."
Though it can cut down on account hijacking - in which a thief obtains personal financial information, including IDs and passwords, and then uses that to enter accounts and steal funds by transferring them or conducting unauthorized transactions - dual-factor authentication has its limits.
Personal information is stolen through a number of means, many of a low-tech nature. According to a December 2004 report from the Federal Deposit Insurance Corp., as much as 65 percent to 70 percent of ID theft can be traced to insiders selling information to criminals or using it for their own purposes. Criminals also can obtain sensitive information by dumpster diving and retrieving things such as bank statements from the trash or simply by observing people as they log in to their accounts at ATMs or public computers. Still, token devices are effective against many electronic schemes, including phishing attacks, hacking and Trojan horse or key-logger programs.
In phishing scams, for example, perpetrators conduct massive fraudulent e-mail campaigns. The e-mails appear to come from a legitimate financial services firm and they ask users to confirm or update their passwords and IDs by visiting a fake Web site that resembles the financial institution's authentic site. The information is then captured by the interlopers, who either sell it or use it for nefarious purposes.
Hackers also can break into systems aided by the static nature of single-factor authentication, which features a password and ID that few people ever change. A survey by Bedford, Mass.-based RSA Security, which provided E*TRADE with its token device, found that two out of three Web users have fewer than five passwords to access all their electronic information and 15 percent use a single password.
Other methods used to steal sensitive information include spyware and key-logger attacks, in which people inadvertently download malicious software that surreptitiously monitors their keystrokes. The malware then captures users' IDs and passwords.
Two-factor authentication can derail many of these electronic attacks because it features two components: something the user knows, such as an ID and password, and something the user has, such as the security token. Phishing, hacking and spyware provide access to only one set of the security components - the ID and password. To gain access to accounts, criminals would have to steal the token device that generates the additional information.
E*TRADE's Levine says he examined a number of different options for authentication, including systems that generated rotating questions based on personal information, but the token device "seems to resonate the best with customers," he says. "There's something to be said about having a physical device that can't be defeated as opposed to asking a question on a Web site."
In terms of deployment, Levine says it wasn't a big investment. Some additional hardware was needed, but he notes that "We pretty much had everything in place." The token device is synchronized with E*TRADE's host system and generates a random number that reaches the person's token, which resembles a key fob. Users simply have to sign up for the service and E*TRADE mails out the token device, which is available to clients with more than $50,000 in their accounts.
Though two-factor authentication provides added security, it has its challenges, says Rob Dyson, an associate partner with the security technologies group at Accenture in Dallas. Firms have to get the device into the hands of their users, he notes. "There are fees associated with that," he says. And "You do need to get the help desk ready - there will be calls."
BMO's Garigue adds that there's also the cost of issuing replacement devices because some users inevitably will lose them. E*TRADE advises clients that they could be charged $25 for a replacement device.
Mellon's Smocer notes that because most people have relations with more than one firm, they could find themselves with a pocketful of devices for different institutions. That will eventually make it confusing and inconvenient for users.
Accenture's Dyson says he thinks dual-factor authentication will evolve to a single smart card that contains an individual's personal information and which fits easily into a wallet. "In Europe, the smart card is huge," he points out.
While regulators haven't commanded firms to adopt two-factor authentication, the FDIC has urged financial institutions and governments to consider upgrading to two-factor-authentication. Still, according to Dyson, "It's a little early for the regulators yet."
Nevertheless, Mellon's Smocer says two-factor authentication is the way of the future. "We are going to see this technology expand going forward. I don't think there's any question about that."