Privacy and Identity Theft

CIO Magazine writer Sarah D. Scalet writes that she will not use online banking until they offer strong 2-factor authentication via a USB token or RSA key fob.

Sarah goes on to examine the security policies and offerings of a number of major US banks, including Citibank, Bank of America, Wells Fargo, and Chase. None of these banks is offering 2-factor authentication devices for consumer online banking. It’s only available to business banking customers.

In Europe, tens of millions of people use 2-factor authentication devices to log into online banking every day. US banks say that people want convenience over security, and that besides, the 2-factor devices cost money.

Perhaps what we need here is for banks, and other sites, to offer 2-factor authentication as an option for customers. If they want to lock down their accounts and make the harder for phishers and e-criminals to get into, then they should be able to do so.

It’s all about choice and market segmentation. Clearly there is a market segment of online banking users who want, or even demand, more security for online banking authentication.

Canada’s Federal Privacy Commissioner, Jennifer Stoddart, is launching a broad fact-finding mission to try to determine just how much information the US Government has been requesting from Canadian banks, payment processors and clearing houses.

This latest brou-ha-ha was stirred up by the “shocking” realization that the US Feds had subpoenad global banking transaction records from the european banking and stock settlement organization, S.W.I.F.T..

I’ve done work with SWIFT in the past, in the areas of authentication and data security. I’ve even attended their famous all-night parties at their annual users conference, SIBOS. You’d be shocked and amazed at how hard a bunch of Belgian bankers and banking IT weenies can party. But that’s another story.

It should be no surprise that our banking transactions are under surveillance. After all, that is one of the primary tools for detecting money laundering. Money laundering is one of the main ways that organized crime and terrorist organizations fund their projects. In a minor way, it’s also how phishers and other online thieves “cash out” their stolen credentials and bank account information.

We’d better get used to the idea of governments watching our transactions. Hey, the bank that issued your credit card knows as much (or maybe more) than you do about your buying habits already.

On June 23, 2006, the White House issued a memorandum requiring all government departments to:
1. encrypt all data on mobile computers and devices
2. allow remote access only with 2-factor authentication devices
3. use a “time out” to auto-logoff idle computers
4. log all data access to databases, and ensure copied data is destroyed.

It’s about time.

After tens of millions of veterans have had their identity information compromised, and with USB flash drives full of military secrets being stolen and later sold in Bagdad street markets, this memo comes as no surprise.

Now we will see how effective they are at actually implementing the requirements. We will also see just how this type of regulation impacts companies and individuals. These measures make a lot of sense for companies of all sizes.