e-banking: The check is in the email

Vermont Business Magazine, Feb 01, 2005 by Kelley, Kevin

And while they are starting to take market share from bricks -andmortar operations, branchless banks still account for less than two percent of the nation's banking business. Consumer acceptance of online banking is increasing as other types of electronic financial transactions become more common, Forreger says.

"You never see the person who issues your credit card, but you don't doubt that it works. You probably don't see the manager of your mutual fund either, and your mortgage provider may no longer be operating in a branch format," Forreger points out. Underpinning the growth of all forms of online banking is customers' confidence that their transactions are secure. More and more Vermonters, as well as Americans in general, do make this assumption - and it's fully warranted, according to bank managers.

Officials at Chittenden, Merchants and other Vermont banks say they have not been victimized by online frauds and are able to repel any attacks by hackers. Chittenden has a department dealing exclusively with data security, McGuire says.

"We're buttoned up tight," the Internet product manager adds, noting that the bank's security systems are regularly assessed by the Federal Deposit Insurance Corporation.

"Experts are brought in who try to hack our system," says Kim Candib, electronics services manager for Merchants. They can spot any weaknesses and help devise improvements, she adds. But the FDIC does not believe that banks' existing security features will prove adequate in defending against increasingly sophisticated attempts at online theft.

"The financial services industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security," the FDIC said in a report in December. It called for upgrading the current password-based single-factor customer authentication systems to two-factor systems, which usually include a standard password and a hardware security device. Such an upgrade "has the potential to eliminate, or significantly reduce, account hijacking," the FDIC said, using a term generally synonymous with "phishing."

(See accompanying story.) The federal bank insurance agency is also concerned about newer scamming techniques such as "malware."

More insidious than phishing, which relies on gullibility on the part of an email account holder, malware surreptitiously invades a personal computer through e-mail or pop-up advertising. Undetected by the user, it can record and transmit keystrokes - and thus personal financial information - whenever an infected computer's user logs onto a banking program or makes a credit card payment.

Some leading U.S. banks are starting to adopt the hardware devices recommended in the FDIC report. Small enough to be attached to a keychain, these freestanding units display a sixdigit number that changes every minute. An online banking customer would have to type in the number shown on the device, along with his or her user name and password.

Banks in Europe are already starting to make the security devices mandatory for their online customers, according to a recent report in The New York Times. Major American banks are evaluating the technology for use by retail customers, who could be required to pay the roughly $10 cost of one of these devices.