1.Internet security experts have long known that simple passwords do not fully defend online bank accounts from determined fraud artists.Now a study suggests that a popular secondary security measure provides little additional protection.
2.The study,produced jointly by researchers at Harvard and the Massachusetts Institute of Technology,looked at a technology called site-authentication images.In the system,currently used by financial institutions like Bank of America,ING Direct and Vanguard,online banking customers are asked to select an image,like a dog or chess piece,that they will see every time they log in to their account.
3.The idea is that if customers do not see their image,they could be at a fraudulent Web site,dummied up to look like their bank's,and should not enter their passwords.
4.The Harvard and M.I.T.researchers tested that hypothesis.In October,they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities,like looking up account balances.But the researchers had secretly withdrawn the images.
5.Of 60 participants who got that far into the study and whose results could be verified,58 entered passwords anyway.Only two chose not to log on,citing security concerns.
6.“The premise is that site-authentication images increase security because customers will not enter their passwords if they do not see the correct image,” said Stuart Schechter,a computer scientist at the M.I.T.Lincoln Laboratory.“From the study we learned that the premise is right less than 10 percent of the time.”
7.He added: “If a bank were to ask me if they should deploy it,I would say no,wait for something better,” he said.
8.The system has some high-power supporters in the financial services world,many trying to comply with new online banking regulations.In 2005,the Federal Financial Institutions Examination Council,an interagency body of federal banking regulators,determined that passwords alone did not effectively thwart intruders like identity thieves.
9.It issued new guidelines,asking financial Web sites to find better ways for banks and customers to identify each other online.January 2007 was set as the compliance date,though the council has yet to begin enforcing the mandate.
10.Banks immediately knew what they did not want to do: ask customers to download new security software,or carry around hardware devices that feed them PIN codes they can use to authenticate their identities.Both solutions would add an extra layer of security but,the banks believed,detract from the convenience of online banking.