FDIC Consumer News has warned readers for years to be on guard against fraudulent e-mails and Web sites that try to trick you into revealing confidential information, such as bank passwords, that can be used to steal money from accounts. Now we want to let you know about new recommendations from federal regulators (including the FDIC) intended to help banking institutions differentiate their true customers from fraud artists and to help Internet users recognize real bank Web sites from fraudulent sites.
In general, the guidelines — which are based in part on an FDIC study released in December 2004 — recommend that each federally insured bank, savings institution and credit union do the following by year-end 2006:
Analyze its Internet services in terms of the potential for fraud or theft. Some bank Web sites only provide details such as branch locations and interest rates on products, which are low-risk activities. But Internet-based banking services that can move money out of accounts or permit Internet users to access confidential information (such as Social Security and bank account numbers) are considered at high-risk for attempted fraud or identity theft.
|
New federal guidelines recommend that each institution ensure that
high-risk Internet services are protected by more than just passwords. |
Ensure that high-risk Internet services are protected by more than just passwords. Possible options include low-tech solutions, such as the use of questions and answers that only your bank and you know, and "scratch cards" with special passwords that are provided to account holders for one-time use. However, there also are high-tech identification programs that include special devices, such as:
- A "token" provided to customers that will generate a unique access number for use with each Internet transaction;
- A "smart card" that is similar to an automated teller machine (ATM) access card but for the Internet;
- A pre-arranged, customer-chosen picture or image that would appear every time you want to perform an online transaction, assuring an Internet customer that he or she had reached the bank's real Web site and not an impostor site;
- A "digital certificate" — a high-tech seal of approval from an online security service — that confirms the identity of an Internet user in a transaction with a bank or merchant.
- Software to recognize the real customer's fingerprint, voice or even their typical keystroke patterns.
If your institution adds new authentication methods for certain Internet products or services, your bank will notify you, perhaps in your monthly statement or in an e-mail.
But what if your bank doesn't tell you about any enhanced security measures? "It may be that your bank already uses enough other ways to authenticate you as a customer, including some behind the scenes," said Michael Jackson, an Associate Director of the FDIC's Division of Supervision and Consumer Protection. Possible examples, he said, include systems that enable a bank to confirm that a request is originating from your home computer and not someone else's, and maximum dollar limits on certain transactions that need special approval to be done online.
Jackson also noted that federal examiners will review each institution's assessment of its online banking risks as well as the security measures in place to make sure they satisfy government guidelines.
