In fact, despite updated online authentication guidance from the Federal Financial Institutions Examination Council, a new study from Javelin Strategy & Research says many top U.S. banks and credit unions continue to rely on outdated authentication practices.
In its just-released Banking Identity Safety Scorecard, Javelin finds that U.S. institutions have never truly embraced the notion of layered security.
"They don't involve the consumer as much as they should," says Phil Blank, Javelin's managing director of security, risk and fraud. "The U.S. has never really taken into account prescriptive measures."
In September and October 2011, Javelin surveyed the country's top 25 banks and credit unions by deposit size. Private institutions and institutions without a significant branch system were excluded. All of the institutions were evaluated on the consumer-facing fraud-prevention features they offer. Consumer data included in the report is based on information gathered from several Javelin surveys conducted between 2010 and 2011.
In some cases, Javelin finds institutions that continue to rely on Social Security numbers for online user authentication. "FIs really need to move away from the use of the SSN," Blank says, or risk exposing their customers to potential identity theft.
Now in its seventh year, the Scorecard reveals some areas of improvement. Though banking institutions must do more to involve consumers in the fraud-prevention process, the industry has made headway regarding the supply of consumer fraud-prevention tools. "But the challenge is that the FIs are not providing the incentive to the consumer to use the tools," Blank says.
The Scorecard highlights several areas that must be addressed, including:
- Failure of institutions to adequately address mobile-banking security risks. "A lot of FIs have rushed to market with mobile applications that have not been fully vetted," Blank says.
- Lack of involvement of the consumer in fraud-prevention through the use of tactics such as two-way text alerts. In a two-way communication, the consumer can approve a transaction by responding to a text confirmation initiated by the institution. "By deputizing the consumer, by enlisting the consumer, in the fight against fraud, it can make a material difference," Blank says.
- Over-reliance on static key-pattern analysis for authentication. "With the proliferation of social media, static KPA is really going by the wayside," Blank says. "But many FIs still rely on it. ... There really has to be more multifactor authentication and out-of-band authentication."
For more information about the study's results and what they mean to financial institutions and online authentication, listen to the audio interview with Blank, who discusses more in-depth findings from the Scorecard. A copy of the full report also is available on Javelin's website.