Companies scramble to bolster online security

Growing fears of identity theft and e-mail phishing scams, exacerbated by the recent data leaks at ChoicePoint and Bank of America, are pushing companies to adopt new IT security tools in a bid to bolster consumer confidence in online transactions.

The latest example is ETrade Financial's announcement last week that it is offering high-value customers a token-based form of authentication technology that can be used with passwords to provide an additional layer of protection for accessing online accounts.

The move addresses concerns about data security by giving customers a constantly changing password in addition to their static ones, said Joshua Levine, eTrade's chief technology officer.

"We felt that this is really something that our customers needed to make them feel comfortable about doing e-commerce," he said.

Increasingly, companies are being pushed to implement measures to rebuild consumer trust in the face of continued online attacks, said Robert Garigue, chief information security officer at the Bank of Montreal in Toronto.

"There's a lot of pressure to respond," said Garigue. "What we are seeing here is the issue of risk evolving from an internal technical concern to a trust-relationship issue."

In a poll of about 5,600 households conducted in December by Forrester Research, 26 percent of the online consumers said e-mail fraud concerns had stopped them from applying for a financial product, while 14 percent said they had quit accessing accounts or paying bills online. Another 20 percent said they don't open e-mail that looks like it came from their financial institutions because of worries about phishing attacks.

Such consumer angst is forcing companies to consider new identity, usage, service and privacy assurance measures, said Jonathan Penn, author of the Forrester report.

Some have already taken action. Since last fall, America Online has offered its customers two-factor authentication based on token technology from RSA Security. AOL is also offering antivirus, firewall and antispyware tools without charge to subscribers, a spokesman said.

Similarly, to help protect its customers against phishers, eBay is using Austin-based WholeSecurity's Web Caller-ID technology to let users verify the authenticity of a Web site via a downloadable browser plug-in.

The Stanford Federal Credit Union (SFCU) has implemented technology from Passmark Security that proves to customers that they have logged onto the SFCU Web site and not a fraudulent site.

All customers are provided with a secret image and phrase that are displayed during the log-on process and throughout the entire transaction. The images -- unique to each customer -- confirm the authenticity of the site, said Sam Tuohey, chief technology officer SFCU.

U.S. banks and other financial services companies have traditionally been reluctant to implement new security measures for fear of driving customers away, said Avivah Litan, an analyst at Gartner. Cost has been another concern, she added.

But that may change as consumers demand stronger protection from their financial services firms, Litan said.

In an April 2004 Gartner survey of 5,000 U.S. consumers, 60 percent of the respondents said they wanted the option of using additional security mechanisms for online transactions, while 19 percent said they wanted added protection as a condition of doing business with a company.

In light of that, Gartner predicts that by the end of 2007, up to 75 percent of U.S. banks will use an authentication method that's stronger than a simple password. Through the same period, up to 7 percent of U.S. banks and 70 percent worldwide will be mandating the use of hardware tokens for customer authentication, the report predicted.

"This notion of balancing security with convenience is an absolutely valid idea, but it needs to be revisited," Penn said. He added that security "is a much bigger issue now" than it was before.

Show Comments