Although the cyberthieves have made in-roads this year, there are a number of clever low-cost authentication methods being tested. The thing they have in common, simplicity with no new hardware.

Here is a quick recap of the available techniques. Generally, these techniques would be used in addition to a username and password:

To thwart keylogging (but not phishing):

• virtual keypad (or string of numbers from 1 to 10): user selects numbers from the keypad/list instead of typing (for added security the numbers should be positioned differently each time)

To thwart keylogging AND phishing:

• picture/graphic selection: instead of a numerical ID, users identify the correct graphical image or picture from a everchanging pool of choices
• bingo card: user enters the requested coordinates (which change each login) from a preprinted "bingo" card (">refer to previous NB article)
• one-time PINs: user enters a number from a list of one-time-use PIN numbers previously mailed, emailed, text-messaged to a mobile phone, or voice messaged to any phone
• shared secrets: the bank and the user establish a serious of shared secrets, one of which must be answered correctly to complete login
• random partial passwords: similar to the shared secret approach, the bank asks for a different portion of the PIN number at each login

For more information, refer to our previous security NetBanker security articles and Online Banking Report (#93/94).

—JB

Security freeze is the latest buzzword in the world of privacy and online security. It was used today in the title of an article in The Wall Street Journal’s Personal Journal section, Freezing Out Identity Theft.

Here’s how it used in the first sentence of the article:

In an effort to combat the rapidly escalating outbreak of identity-theft crimes, a handful of states including California and Texas have passed legislation that allows consumers to put a "security freeze" on their credit history.

Action Item
Use this phrase in your marketing to reassure wary customers. For example,

• "Once you report any fraud, phishing, or identity theft, we will put a security freeze on your bank accounts against any unauthorized withdrawals."
• "If someone tries to guess your password, we’ll freeze your account against any more attempts."

And eventually as you develop more advanced security preferences, customers will have the ability to put their own selected security freezes or locks on their accounts. For example, users that always access from one computer, could lock-out any access attempts from other IP addresses (see Quova for tools in this area). Or the customer could lock their account against point-of-sale transactions in other states and countries.

To learn more about how to promote online security and customer peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

In the United Kingdom, the government has launched an initiative to inform its citizens of phishing and other fraud dangers. One of its key services is an email and/or text message service that informs users when new fraud threats are identified.

To fight the problem of having their own emails spoofed, they require users to select a "safe word" that will be used in the subject line of all emails.

Analysis
Not only is this an effective way to fight phishing, it helps personalize your messages, improving their chances of being read.

— JB