A research note from TowerGroup, sponsored by IBM, addresses the issue of security in online banking, and the techniques that cybercriminals are using to gain access to online bank accounts. Although the report, published in 2005, is a bit outdated, its message still hits home.

Generally speaking, so long as you follow standard security protocols (complex passwords, change password regularly, don’t share passwords, and beware of emails claiming to be from your bank asking for login details), online banking is just as safe as driving to your local bank branch. In fact, locally there have been a rash of bank robberies, so online banking may be even safer!

One of the threats highlighted by the report is email phishing, which has become a very common way for attackers to try to steal account information, and sometimes, it works. The report recommends stronger authentication methods to combat this type of fraud.

The problem with the standard username and password type of authentication most commonly used by banks is that it puts the burden on the account holder to keep the information secret, and the account information becomes vulnerable to fraud and various types of social engineering tricks. But in light of the major losses that continue to occur, the report recommends that financial institutions take on more responsibility by instituting stronger authentication techniques. In the past, banks have been reluctant to do this out of fear that customers would not accept them and that they would be too expensive for the bank to implement.

The FDIC does recommend two-factor authentication (although most banks in the US don’t offer it). Fortunately, these solutions are getting less expensive, and one option is to avoid the use of a hard token in favor of a soft token. The results are the same, and it is a lot less costly. Either way, two-factor works like this: The account holder enters a memorized PIN number into the token, which then generates a one-time passcode, which is then entered by the user to gain access to their information. Because the passcode expires after a single use, theft becomes irrelevant. If banks would implement this type of technology, it would go a long way towards eliminating the threat of email-based bank phishing attacks.