Much debate about the costs and benefits is taking place today in every bank. Senior management are often seeking the silver bullet, but the reality is that fraud has to be managed, and won't be eliminated.  There are too many variables, including the customer and their own behaviours.  This article covers it well.
Banks Get Wise to Phishing Fraud – Enterprise Security – NewsFactor Network

"No legitimate bank or e-commerce company is going to send its customers e-mails requesting security information," said Amanda Pires, a spokesperson for PayPal. "Nor is a bank going to send out an e-mail warning that a user's account will be suspended if they do not immediately provide their Social Security Number."

Banks are responding tot the threat of phishing in response to the fraud, and the US Government guidelines.

In the U.S., the federal government has given banks until the end of the year  to install better online-security measures. Some companies, such as Bank of  America and E*Trade, have gotten a head start by introducing new  authentication technologies to complement the traditional user name and  password required for accessing online services.

However its too early to tell the results. One thing we do know is that the criminals are always thinking ahead to the next weakest link.

But, according to Avivah Litan, an analyst at research firm Gartner, it is "too  early to tell" how the criminals will respond to the new security systems. 

Banks are employing two types of strong authentication, software and hardware.

1. Software: "SiteKey allows our customers to know that they are accessing our Web site and not a fraudulent site, and it enables us to know that we are dealing with genuine customers," said Betty Riess, a spokesperson for Bank of America.
2. Hardware: Since April 2005, it has been offering its customers devices known as SecurID tokens, which are made by RSA Security …. These tokens calculate a one-time "passnumber" to enter when logging on. The number has to correspond to an identical one-time passcode that is  simultaneously generated at E*Trade's back-end server.

The big banks realise either or both of these is merely one more piece of the security portfolio.

"Just as a home owner has a gate, a lock on the door, an alarm and a safe, so banks need to have multiple layers of security," said Amir Orad, executive vice  president of marketing at New York security firm Cyota. In addition to stronger authentication, Orad said, banks need to be monitoring their customers'  transactions for abnormal events.

"If I log on and simply pay my monthly car insurance bill, then that is a normal event which does not need any verification," he explained. "But if an online  payment is made out of my bank account to someone that I have never made a payment to before, then maybe the bank needs to ask for some additional security information before authorizing the transaction."

Technorati Tags: online_banking, online_security