Introduction

In today's era of online commerce and identity theft, password protection is no longer adequate to guard your financial assets. Your personal details are constantly at risk from phishing, keyloggers, and Trojan attacks. Even if you are sure you are safe and think you won't fall the victim to a phishing attempt, think again.

I have a friend - whose real name I won't disclose for obvious reasons, but let's call him Jake – who is in charge of network security in a large (1000+ employees) corporation. Jake is very security-aware and is the last guy whom you would expect to fall for a phishing attempt.

A couple of week ago, Jake applied for an account in an online bank. Sure after, a few days later he received two emails from that bank, the first email notifying him that he his application had been approved, and a second email asking him to verify personal information to set up his online account. The first email was authentic, but the second one was a fake. However, timing could not have been worse for him to receive that phishing email. Normally he would not have fallen for that, but since he was expecting the communications from that bank, this time the phishing email caught him off guard. A few hours later he did realize what he had done and notified his bank and credit monitoring services of the breach before any damage was done, but still it caused a big headache for him and he now is forced to constantly monitor credit activity to make sure his personal data wasn't put to unauthorized use.

Phishers send thousands of emails just like this, hoping to catch you off guard. If this happened to Jake, it could happen to anyone. And in addition to phishing, if your anti-virus program does not properly protect your computer, you could be exposed to keyloggers and Trojan attacks. This article does not deal with how to protect yourself from these types of attacks, but rather with the way financial institutions can prevent unauthorized access when these attacks succeed by implementing high level security measures.

I have divided the security strength used by banking institutions into 4 different levels, from weak to strong. Level 1 Security (Password Authentication) is the most basic one used by all institutions, and Level 4 authentication is biometric authentication, not common to commercial institutions but used by high security government institutions. Note that all levels should be inclusive of the levels below it. A system using a Level 2 authentication will also be employing the Level 1 authentication layer, and a system using a Level 3 authentication should employ both Level 1 and Level 2 authentication layers.

Level 1 Security: Password Authentication

This is the most basic security measure used by all institutions. It requires a username and password as credentials in order to access account functionality. Note that even this level can be divided into several levels of security depending on password limitations. Some institutions limit you by length of the password or by what characters you can use in the password (for example, alpha numeric characters alone). For example, A system that only lets you choose a password up to 8 characters long and with no non-alphanumeric characters is weaker then a system that has no such limitations. Always choose a strong password. The author's recommendation is to use at least 10 characters, with with at least one character being in a different case (capital letters and non capital letters) and at least one character being non alpha numeric (i.e. $, %, ^ etc). The worst possible password you can choose is a short dictionary word with all letters being the same case.

Level 2 Security: Image Verification Key

Also referred to as “Two Factor Authentication” since it is used as an additional layer to the password authentication. The image verification method consists of an image (Sometimes accompanied by a phrase) you choose when configuring your account. When you attempt to log in to your account, you are shown the image you had chosen. If you do not see your image, then you are most likely in a phishing (fake) website. In addition, when you set up your image key, your computer gets registered in the bank's system as a trusted computer. Should someone attempt to log in from a different computer, an additional security step will be imposed such as answering a secret question.

Level 3 Security: External Verification Key

This is one of the stronger methods for authentication, and is the method endorsed by this article. In this security layer, a key (such as a random number) is sent to an external device which you hold. In order to log in to your account, you have to input that key. The key is only valid for a short amount of time and is invalidated after one use.

Two examples of this are the Bank of America SafePass and the Ebay / PayPal Security Key. With Bank of America's SafePass System, you request a key every time you want to log in to your account or make any changes to your account. The key, a 6 digit number, is then sent to your mobile device (cellphone) over a text message (Optionally it may be sent to a special wallet sized card which you can order for $19.99.) It is valid for one use and it expires after 10 minutes. You must enter the code correctly in order to gain access to your account. If you do not have your mobile device available, you must call customer service in order to have them disable the SafePass feature.

With Ebay and Paypal's Security Key, you order a small Verizon Device ($5 at the time of writing the article) which you use to generate a random 6-digit key every time you want to log in to your account. Each key is valid for 30 seconds. If you do not have the device, you have to answer security questions and then Paypal will call you to verify your identity before you can regain access to your account.

This security level is very strong, but it is not 100% foolproof: If not properly implemented, communications between your machine and the server could be intercepted by a middle machine which would relay the login data to the server and authenticate using the data you provided. This goes for security level 2 as well.

The following images illustrate level 3 security. The first image, a screenshot from Bank of America shows all 3 security authentication methods on their login page: Passcode (Level 1), SiteKey Image Verification (Level 2) and SafePass (Level 3). The second image shows the text message receivedy by Bank of America when you click on the "Send SafePass Code" button. The third image shows a PayPal security key device used to generate the key which is required in order to log in to your PayPal account.

Level 4 Security: Biometrics

This is the most secure layer, but also the most complex and expensive authentication method. A biometric authentication usually involves fingerprints or a retinal scan. A handful of banks use this layer, and this is also used by high security government agencies. As technology for this becomes less expensive and more widespread, it is expected that more financial services will move towards this security level.

Recommendation

It is the author's recommendation that any financial service institution providing online access should utilize Level 3 Security Authentication, or at least a level 2 Security Authentication. If your financial institutions are still at Level 1 authentication, you should write to them suggesting they implement a higher security level. If they do have level 3 security implemented, make sure to take advantage of it. Most of the time these features are not active by default, but rather you have to opt-in to be able to use them. For example, if you have a PayPal account you should order their security key immediately.

And while high security levels are utilized mostly by banks and other financial institutions, it is the author's opinion that other types of online organizations should also move towards the higher security levels. Any website in which unauthorized access to it would cause loss of property and financial damage should implement this type of security. This would include sites such as domain registrars and email services. This is not necessary for most websites – for example I do not suggest Digg or Reddit (news sharing site) to require a retinal scan in order to log in, as the accounts there do not control any financial assets. However email accounts control your email which is a gateway to many other accounts, and domain registrants control virtual estate, which is why I recommend these types of sites also make the climb towards the higher security levels.