Tom Wills, Senior Analyst, Security and Fraud, at Javelin Strategy and Research has published a new report titled "Consumer Authentication for Retail Banking: Compliance Does Not Equal Security".

"With the majority of financial institutions in compliance after the frenzied rush to meet the authentication requirements of the 2005 FFIEC Guidance, a number of financial institutions have relaxed into a satisfied mode. Compliance is not security, however, and complacency increases risk. Weaknesses have already been proven for widely adopted methods such as mutual authentication and device recognition."   » Continue Reading

Aladdin Knowledge Systems has announced a partnership with IdenTrust to provide identity authentication solutions for secure online banking and financial transactions.   » Continue Reading

Citi has announced the launch of a high-assurance digital identity solution — Citi Managed Identity Services - saying it "enables Citi clients to use digital identity and signature technologies to effectively and securely manage the exchange of electronic information in digital commerce and business critical transactions."   » Continue Reading

Gemalto has announced that over one million Barclays Bank customers in the UK are using its cryptographic smart card reader, called PINsentry by Barclays, to provide stronger authentication for online banking. According to Gemalto, "the bank started deploying its strong authentication program in July 2007 and not one PINsentry online customer has suffered fraud since then. User feedback has proven extremely positive and Barclays observed that customer acceptance was higher than anticipated by 30 percent."   » Continue Reading

Google today announced an enhancement to its Gmail service - one that is designed to enhance login security and to better protect Gmail accounts from takeover attempts.

Gmail will soon display information about whether the account is currently open on another computer - as well as displaying recent activity on the Gmail account. Also included is a one click way for a user to sign off any other Gmail sessions that may be in progress.

This is an enhancement to basic sign-on "hygiene" - and an approach that online bankers may want to take a hard look at with respect to adding to their online banking services. TechCrunch comments on this new Gmail feature as well.

ID Analytics has announced the availability of ID Analytics for Authentication - calling it "a network based authentication solution that enables organizations to validate customer identities during online and call center interactions. ID Analytics for Authentication accurately separates legitimate and suspicious identities while reducing customer abandonment rates and lowering the cost of an authentication session by up to 50 percent."   » Continue Reading

Alliance & Leicester Commercial Bank has announced that it has implemented 3D Secure on its BillPay websites. "Better known to the public as “Verified by Visa” and “MasterCard SecureCode”, 3D Secure is designed to protect cardholders against unauthorised use of their debit or credit cards online."   » Continue Reading

The Information Card Foundation has officially launched its web site and posted its announcement press release. The founding companies say it's their goal "to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses."   » Continue Reading

Robert Vamosi reports for Cnet News.com on the Information Card Foundation, a new group created by Equifax, Google, Microsoft, Novell, Oracle, PayPal, and others to "increase awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards." The Information Card Foundation website should be updated with more information on Tuesday. See also Dark Reading's article today. Laurie Flynn covers the story in Tuesday's New York Times.

Chris Skinner blogs about the results of a discussion earlier this week at the Financial Services Club in London on the question of whether current authentication and identification methods are good enough.

RSA has announced the worldwide availability of the RSA SecurID 1100 Display Card, "an event-based, one-time password (OTP) authenticator in a flexible card form-factor designed to help financial institutions and their customers secure online accounts and transactions with two-factor authentication."   » Continue Reading

Glenbrook's Carol Coye Benson posts a rant on her latest experience as a customer being forced through a knowledge-based authentication drill with a vendor (AT&T) who already knows her well.

Acxiom has announced FactCheck-X Authenticate - calling it "a more secure means of online account authentication. Based on unique, biographically based question-and-answer sessions for account holders, businesses are more secure and customers can experience a better online authentication experience."   » Continue Reading

The Sydney Morning Herald reports on the "Pen or PIN" project underway in Australia that will allow shoppers using credit cards to either sign their receipts as they've always done or choose to use a PIN instead beginning June 4. A spokesman said: 'The introduction of PIN on credit and debit cards will give cardholders a quick and easy alternative to signature authorisation when making purchases in person.' Meanwhile, the Herald Sun reports that a consumer group is concerned that a move to PINs 'could result in consumers being unable to dispute credit charges.' More details here.

Innovative Card Technologies, developers of the ICT DisplayCard for e-banking, e-commerce and data access authentication, has announced a two-year supply and license agreement with RSA. Under the terms of the agreement, Innovative Card Technologies’ one-time passcode authentication cards will be available to RSA’s customers worldwide.   » Continue Reading

Brian Krebs writes for his Security Fix blog at the Washington Post about changes to the banking code in the UK that stress that online banking customers have the responsibility to keep up-to-date anti-virus, anti-spyware, etc. software installed on their computers - and wonders why more US banks don't make available hardware tokens to secure online access (the way PayPal optionally does).

Quova has announced a partnership with Guardian Analytics to help protect online financial accounts from fraud and identity theft. "Under the partnership, Guardian Analytics has integrated Quova’s IP geolocation data into its FraudMAP solution. Providing online channel risk management, FraudMAP delivers fraud detection, forensics and ongoing risk monitoring based on strong analytics and predictive models of individual behavior. The unique solution was built from the ground up to automatically detect new online fraud threats in real time without requiring rules development or algorithm training."   » Continue Reading

Stefan Brands has announced that his company's (Credentica) U-Prove technology has been acquired by Microsoft and that he and a couple of his colleagues have joined Microsoft's Identity and Access Group. More about the acquisition at Kim Cameron's IdentityBlog and Microsoft's Data Privacy Imperative blog.   » Continue Reading

M. E. Kabay writes for Network World about his proposal for using the cardholder name field in card authorization messages to transport one-time codes.

ISO has published a standard to increase the security of financial transactions over electronic media. The new standard, ISO 19092:2008, Financial services – Biometrics – Security framework, establishes the security requirements for the implementation and management of state-of-the-art biometric identification technology within the financial industry.   » Continue Reading

ICONIX has announced that its Iconix Truemark service is officially available to millions of PayPal account holders. According to the company, "by placing an icon next to legitimate email messages, the Iconix Truemark service helps consumers visually identify legitimate email messages and avoid dangerous scams known as phishing attacks."   » Continue Reading

Yahoo! has announced "its support for the OpenID 2.0 digital identity framework for all 248 million active registered Yahoo! users worldwide. OpenID, an open framework based on proven Internet technologies, enables users to consolidate their Internet identity, eliminating the need to create separate IDs and logins at all of the various websites, blogs, and profile pages they may visit in the course of their online session. In addition to the many leading Yahoo! services users already enjoy, anyone with a Yahoo! ID will be able to use the same ID for easy access to any sites that support OpenID 2.0."   » Continue Reading

Experian has announced that Experian and Microsoft have developed a proof of concept identity management service using Microsoft Windows CardSpace. The company said that "as ID fraud activity intensifies, this service streamlines identity authentication and provides a safer and simpler way to pay online."   » Continue Reading

Intel Capital has announced a $10 million investment in iovation, a Portland, Oregon-based company that provides online security and fraud protection services. The company says it provides "the first device reputation service aimed at protecting business on the Internet. The real-time service prevents online fraud including charge-backs, identity theft, phishing, click fraud and other abuses of online services."   » Continue Reading

Blackboard and Sony have announced "a partnership to support Sony FeliCa contactless technology in the Blackboard Commerce Suite, a family of applications supporting one-card transactions on-campus, off-campus and online and allowing for identification, payment and access."   » Continue Reading

Aniruddha Ghosh writes for India's Economic Times about the work Citi India and mChek are doing in India that enables a variety of services using the mobile phone as a remote customer signature device. "To ensure security, users of such services have a unique passcode which will prevent misuse even if their phone is lost. These transactions operate on a ‘remote signature’ principle, and are validated by one-time PINs generated separately for each transaction."

Grant Buckler writes for The Globe and Mail about multi-factor authentication and online banking - reporting that "combining passwords with questions and/or web cookies is the most popular multi-factor authentication technique online."

Glenbrook's Linda Elliott is attending this week's Digital Identity World conference in San Francisco. She's filed her first report from this morning's discussions and observations in her post titled "Doc Searls Provides a new ‘Clue’ for the Identity World"

Is the best use of mobile devices by financial services players to use them for securing online banking access? Rob McMillan writes for PC World about Bank of America's SafePass announcement yesterday. Or, is two-factor authentication in the US market just a zero sum game between the bank and the consumer?

Bank of America has announced a new security feature for its online banking service called SafePass™ that the bank says "provides customers with an extra layer of protection against unauthorized transactions." According to the bank, "SafePass delivers a one-time-use six digit code as a text message to consumers' mobile devices that they can use to authorize their most sensitive online transactions. As an additional security measure, the code expires as soon as it is used or within 10 minutes after it is issued."   » Continue Reading

In a commentary titled "Identity: Innovation or Infrastructure", Glenbrook's Linda Elliott shares some of her thoughts going into this year's Digital Identity World conference.

Consumer Reports National Research Center has announced results of a national poll finding that "an overwhelming majority of Americans want lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. According to the poll, 89 percent of Americans agree that state and federal lawmakers should pass laws restricting the use of Social Security numbers."   » Continue Reading

APACS has announced that "ten million UK-issued payment cards have now been registered with MasterCard SecureCode and Verified by Visa services – making these cards more secure when shopping online. Using these services is quick and easy. Cardholders sign up and choose a private password, which they then use when shopping at participating retailers." APACS has published a new guide for consumers titled "How to protect cards against online fraud" (PDF).   » Continue Reading

Murdo Macleod reports for The Scotsman about a new biometric authentication system from Hitachi that uses finger vein patterns - instead of fingerprints - for consumer authentication at the point of purchase.

Investor's Business Daily reports on how banks are seeking a balance between convenience and cost when it comes to strengthening logon and transaction security. "As most people now have cell phones, financial firms are also considering simply sending users one-time pass codes by text message or automated phone call, eliminating the need for tokens. Passcode generators can also be built into cell phone handsets."

China UnionPay Data (CUP Data) and Arcot Systems have announced a partnership that the two companies say will help minimize Internet transaction fraud. Under the licensing and development agreement, CUP Data will use Arcot’s TransFort family of solutions in the joint development of a common risk management outsourcing service for marketing to card issuers in China.   » Continue Reading

Experian has announced a new fraud detection solution that the company says "integrates data authentication with consumer challenge questions to create the most comprehensive approach for detecting fraud and managing the associated risk. The new product, Knowledge IQSM, is the first system to merge two essential elements in the fight against fraud."   » Continue Reading

PayPal has announced the general availability of the PayPal Security Key for PayPal's customers. The PayPal Security Key is a small electronic token that generates a unique security code approximately every 30 seconds. Members can use this code, along with their user name and password, to sign into both their eBay and PayPal accounts, helping to prevent unauthorized users from accessing them.   » Continue Reading

Arcot Systems has announced the ArcotID Flash client, "making strong two-factor authentication as easy for online consumers as watching a Flash movie."   » Continue Reading

EMC Corporation has announced that the acquisition of Verid, Inc., an information security firm that "delivers knowledge-based authentication solutions to millions of users worldwide, through some of the largest consumer-facing financial institutions, telecom providers and retailers."   » Continue Reading

In a new post-FFIEC implementation article titled "What Banks Tell Online Customers About Their Security", Sarah D. Scalet writes for CIO Magazine writes about what she earlier called "creative" authentication. She writes about her experiences calling Citibank, Chase, and Bank of America and asking the call center reps about her concerns about online security.

Arcot is holding a seminar in New York on Wednesday, June 6, titled "Taking the eFraud Out of eBanking - Preventing Identity Fraud in Financial Services".

Andrea-Marie Vassou writes for Computeract!ve about a decision by HSBC to not deploy to customers chip card readers that other major banks in the UK are deploying to help deal with online banking and ecommerce fraud.

Gemalto has announced it is the "first company to achieve the MasterCard and Visa Chip Authentication Program (CAP) 2007 certification of its Pocket reader, designed to secure authentication of cardholders for remote banking and e-commerce."   » Continue Reading

Copies of the presentations made at the recent Authentication and Online Trust Summit 2007 are available online. Included is a presentation on Ecommerce and Online Banking Fraud (PDF) presented by Karim Noorali, Sr. Product Manager, eBay, Victor Talamo, VP & Director Risk Management, JPMorganChase and Marcelo Camara Banco Bradesco Febraban - Brazilian Banking Organization.

In an article titled 'Verified by Visa scheme confuses thousands of internet shoppers", Miles Brignall reports for the Guardian about the migration of many ecommerce sites to using Verified by Visa or MasterCard SecureCode - and the confusion that some consumers experience when asked to enroll in those services in the middle of their shopping experience.

Gemalto has announced that it is providing Barclays Bank with a tailor-made product supporting Barclays project to offer stronger authentication for online banking customers. According to the company, its solution "includes the authentication devices and a full service encompassing design of the readers, fulfillment and distribution to the Barclays customer. In addition, Gemalto produced a unique looking device, customised with the bank’s visual corporate identity. The contract calls for the delivery of over half a million units by the end of this year and includes options for additional deliveries into 2008." More information, including photos of the device, are available at the Barclays web site.   » Continue Reading

Tash Shifrin reports for Computerworld UK that "Barclays bank is sending out handheld chip and PIN card readers to more than half a million online banking customers in a bid to prevent fraud."

The FDIC last week issued its "Supervisory Policy on Identity Theft" describing the characteristics of identity theft and setting forth the FDIC's expectations that institutions under its supervision take steps to detect and prevent identity theft and mitigate its effects in order to protect consumers and help ensure institutions' safe and sound operations. "The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers."

Verid has announced that CashEdge will integrate Verid's Knowledge Based Authentication (KBA) technology into CashEdge's online account opening and funding solutions to enhance the depth and quality of its risk management capabilities using Verid's industry-leading KBA process, already in use at eight of the top ten financial institutions.   » Continue Reading

Ann Keeton reports for the Wall St. Journal about the expanding use of fingerprint biometrics. She reports that about "10% of new laptops sold in the U.S. come equipped with tiny, inexpensive fingerprint censors, eliminating the need for people to remember passwords."

Javelin Strategy and Research has released a new report titled "Telephone Banking Authentication: Securing a Popular yet Vulnerable Channel" that concludes that "weak authentication measures continue to be utilized for phone banking." According to the report "a majority of top 23 US financial institutions need to strengthen authentication methods for the phone, with over 1 in 4 still asking for a full Social Security number, and only 8% requiring a password or answer to challenge questions."   » Continue Reading

The 41st Parameter has announced that GSI Commerce has selected its proprietary FraudNet solution to identify client devices online to detect and prevent Internet fraud. According to the companies, "GSI, which operates eCommerce businesses for about 60 partners in 11 retail merchandise categories, uses FraudNet to identify suspect versus legitimate online devices and transactions to help prevent criminals from completing fraudulent purchases."   » Continue Reading

Experian has announced an alliance with VoiceVerified to "jointly market and sell authentication solutions that combine data-based and voice biometric authentication technologies to verify an individual's identity. Multifactor authentication will result in reduced fraud and associated operational losses for organizations, address Federal Financial Institutions Examination Council guidance requirements and provide a more secure operating environment for consumers."   » Continue Reading

On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, “Proof Positive: New Directions in ID Authentication,” to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public- sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues.   » Continue Reading

The U.S. General Services Administration's (GSA) Federal Acquisition Service (FAS) has announced that "small business customers of WellsSecure, a business unit of Wells Fargo Bank, will now have access to FAS' premier online proposal submission program -- eOffer -- using WellsSecure digital certificates. This is the latest successful public-private partnership under GSA's E-Authentication Initiative, managed by the U.S. E-Authentication Identity Federation."   » Continue Reading

Corillian has announced it is integrating support for Windows CardSpace into its online banking products. Windows CardSpace is a component of the .NET Framework 3.0, available on Windows Vista and Windows XP, which helps store a person’s digital identity in a security-enhanced manner, and provides a unified interface for choosing the identity for a particular transaction, such as logging in to a Web site.   » Continue Reading

Joris Evers of CNET News.com interviews RSA president Art Coviello during this week's annual RSA Conference being held in San Francisco. Coviello comments that "if you look at the three biggest Internet banks in the country, they way they have responded to the FFIEC recommendation for having strong authentication in online transactions, each one is using a different type of RSA technology."

Titled "Outrunning the Regulators," this month's Resilience Report from strategy+business and Booz Allen Hamilton by Joni Bessler, Debra Banning, and Roman Regelman discusses the FFIEC guidelines regarding authentication and recommends that "banks institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they will meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address customers’ concerns about the security of online banking."

RSA has announced that Wachovia has "deployed the RSA® Adaptive Authentication solution and joined the RSA eFraudNetwork community to protect its customers, their funds and personal information further when banking online, while incurring minimal impact to the online user-experience."   » Continue Reading

Entrust has announced the launch of a new, five dollar one-time-password (OTP) hardware security token along with news that Expedia will become the first company to deploy the new Entrust token.   » Continue Reading

RSA has announced the findings of its fourth annual Financial Institution Consumer Online Fraud Survey. Conducted in December 2006, the online survey(1) asked 1,678 adults(2) from eight countries(3) around the world for their opinions on evolving fraud threats such as phishing, vishing and keylogging, and on the efforts of their financial institutions to strengthen remote channel banking authentication.   » Continue Reading

Last week we mentioned a CNET News.com story about PayPal introducing a new, token-based authentication solution to its members. PayPal's now providing more information about the PayPal Security Key on its web site along with an FAQ.

Joris Evers writes for CNET's News.com about plans by PayPal to make available key fobs to its users to help authenticate themselves at logon and reduce the threat from on-going phishing attacks. Evers reports that PayPal plans to charge personal PayPal users $5 for the key fob but will be giving them away to PayPal business account users.

BioPassword has announced it has secured $11 million in Series C financing from new investor RRE Ventures and existing investors including Citrix Systems, Ignition Partners and OVP Venture Partners.   » Continue Reading

Wachovia has announced Wachovia Security Plus, "a new enhanced suite of security measures, to toughen Wachovia's already-strong security measures in the fight against online theft and fraud."   » Continue Reading

Robert Guy Matthews writes for the Wall St. Journal about the state of online banking authentication - post the 12/31/06 compliance deadline imposed by the FFIEC in the fall of 2005.

Earlier in December, the UK's House of Lords Science and Technology Committee, as part of their investigations into personal Internet security, heard evidence from representatives of APACS, VISA and the FSA. eGov Monitor reports that story - saying that "the witnesses were pressed on what mechanisms the financial industry in the UK had put in place to protect people using online banking and other online financial services." A transcript (PDF) of the oral evidence presented is available online.

PNC Bank has announced "a new security feature for online banking customers to further protect their information and help prevent fraud and identity theft. Available Dec. 10, PNC's layered security is designed to enable customers to verify they are at the authentic PNC Bank Online Banking site, and simultaneously enhances PNC's ability to validate a customer's identity. This will be accomplished through a unique image and caption chosen by the customer as well as security questions with answers that only he or she should know."   » Continue Reading

Bruce Schneier blogs about why the focus in fighting online banking fraud needs to be on the transactions themselves, not solely on authenticating the user's logon.

Sarah Scalet reports for CSO Magazine about the steps banks are taking to implement stronger authentication in response to FFIEC guidelines for year-end compliance. Included in the article is a useful chart - titled "Beyond the PIN" - of many of the stronger authentication techniques.

Jaikumar Vijayan writes for Computerworld that some industry experts are recommending that financial institutions do more than just comply with the FFIEC guideliness regarding stronger authentication of online banking customers.

Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. We first posted her initial summary of bank strategies last September. Here's a link to her most recent update (version 7) with the latest on what the industry has been doing since then. Linda points out there are only about 30 business days left in the year for financial institution's to finalize their plans to comply.

Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. We first posted her summary of bank strategies last September. Here's a link to the most recent update on what the industry has been doing since then.

Arcot Systems has announced a partnership with Yodlee to deliver multi-factor authentication capabilities with the full suite of Yodlee’s solutions and services.   » Continue Reading

Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. We first posted her summary of bank strategies last September. Now, Linda provides an update on what the industry has been doing since then:

We've updated our earlier chart on announced FFIEC Compliance actions. We are now beginning to see more varied approaches to the dual-factor authentication challenge. Biometrics is being rolled out at some smaller institutions, such as Credit Unions. Today, Verisign and Northern Trust announced use of the Verisign network approach to risk-based authentication. While the field of announced solutions is more varied than before, the large security firms still seem to be announcing more 'wins' with larger companies.   » Continue Reading

RSA has announced RSA Adaptive Authentication for Phone, a product designed to "meet the financial industry’s need for strong, automated and convenient caller authentication for telephone banking, given the nature of fraud migration and the regulatory requirements stated in the FFIEC’s Authentication in an Internet Banking Environment guidance."   » Continue Reading

Symantec and VeriSign have announced plans to deliver "security solutions to combat the growing threat of consumer identity theft and fraud on the Internet." Symantec plans to offer support for the VeriSign Identity Protection (VIP) Authentication Service, which allows consumers to utilize one-time passwords to protect their online identity.   » Continue Reading

Verid has announced a major new version of its Knowledge Based Authentication (KBA) platform that helps businesses quickly authenticate consumers through a series of personalized questions unique to that individual. According to Verid, "businesses are rapidly moving away from using social security numbers to identify customers and recognizing that a pet's name may not be the best way to protect financial or other accounts."   » Continue Reading

Pay By Touch has announced the debut of TrueMe, what the company claims is "the first secure, on-demand biometric authentication service on the Internet."   » Continue Reading

Glenbrook's Jim Salters files this report: Even if you've been following the authentication space and the industry dash to comply with the FFIEC Authentication Guidance, it's likely that you've never heard of Arcot. But that may soon change. According to the company, a major bank in the US will soon announce their plans to deploy ArcotID technology to its millions of retail banking customers. And while this might sound like just another customer win for an authentication solution provider, this appears to represent a dramatically different authentication strategy than we've seen so far from a large US bank, with interesting implications.   » Continue Reading

Charles Arthur writes for the Guardian about "clickprints" - "a unique pattern of web surfing behavior based on actions such as the number of pages viewed per session, the number of minutes spent on each page, the time or day of the week the page is visited, and so on" - based upon research by Professor Balaji Padmanabhan, at the Wharton School at the University of Pennsylvania, and Professor Catherine Yang, of the Graduate School of Management at the University of California, Davis.

Telenor and the Norwegian banking industry have announced they have entered into a "unique agreement to make life simpler for millions of Norwegians by making banking and payment services available via a mobile phone, anytime and anywhere."   » Continue Reading

Joris Evers reports for CNET News.com about the new Banking Identity Safety Scorecard released by Javelin Strategy & Research that suggests Bank of America, JP Morgan Chase and Washington Mutual do the best job for their customers in preventing, detecting and resolving ID theft

David Berlind blogs for ZDNet about how banks are dealing with the the FFIEC guidance issued last fall to strengthen online authentication while trying to avoid changes that inconvenience their customers. According to Berlind, "the trick has been to come up with "1b" or "single factor+" solutions: solutions that primarily rely on what you know, but that also emulate, to the extent that they can, what you have (the 2nd factor in true multifactor security)."

Verid recently announced a deal with RSA Security to incorporate Verid's KBA (Knowledge Based Authentication) solution into RSA's "adaptive authentication" product suite. Glenbrook's Carol Coye Benson spoke yesterday with Kevin Watson, Chairman & CEO of Verid, to learn more about KBA and the company.   » Continue Reading

The Department of Justice has announced that the President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.   » Continue Reading

VASCO Data Security International has announced that Garanti Bank in Turkey will use VASCO's Digipass for Java Phone strong authentication with its retail customers. Garanti Bank already uses VASCO's hardware Digipass 260 for corporate banking. Garanti's retail customers will have the choice between the software Digipass for Java Phone or the Digipass 260.   » Continue Reading

EMC has announced it has completed the acquisition of RSA Security. EMC also announced it has signed a definitive agreement to acquire Network Intelligence, a privately-held company in the security information and event management market. EMC says "the acquisition of RSA and Network Intelligence joins market leaders which together will create the new information security division of EMC."   » Continue Reading

RSA Security has announced that it is teaming with Verid in order to further expand the range of strong authentication technologies included in its comprehensive RSA Adaptive Authentication solution. RSA Security will integrate Verid's knowledge-based authentication (KBA) technology into the RSA Adaptive Authentication platform.   » Continue Reading

RSA Security has announced results of the company's second annual password management survey, which polled businesses on issues pertaining to password management. More than 1,300 business professionals participated in this global study, which confirmed that the burden of multiple passwords continues to pose significant security risks, and encourages end-user behavior that endangers compliance initiatives.   » Continue Reading

The Office of the Comptroller of the Currency has published a "Customer Authentication and Internet Banking Alert" to banks reminding them of their need to comply with FFIEC guidance issued last fall and suggesting that "it is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement."   » Continue Reading

Matt Richtel and Miguel Helft of the New York Times report on the "pretexting" indusry - made sudden much more famous as a result of the recent Hewlett-Packard board investigation. They say that "retexters often use techniques similar to those employed by identity thieves to obtain not only telephone records but also other private data." They cite industry experts who say all you need to get access to a wireless subscribers bill is the last four digits of a person's Social Security number and their zip code. While using pretexting to gain access to financial records was made illegal at the federal level in 1999, using it to access telephone records isn't clearly illegal.

Yuba Bessaoud reports for the London Sunday Times on plans by banks in the UK to provide hand-held terminals to bank customers that will generate unique eight-digit codes on every transaction - and plans to use them for online banking access. If successful for bank access, Bessaoud reports that APACS might later extend the use of the terminals to retail websites as well.

Laura Smitherman writes for the Baltimore Sun about the authentication techniques banks in the Baltimore area are implementing to "better identify online customers after federal regulators, alarmed by the rising incidence and sophistication of identity theft, imposed a year-end deadline."

Jay Cline of the Carlson Companies writes an opinion piece for ComputerWorld about how there's no one "silver bullet" solution to two-factor authentication, saying "it’s bad for business and bad for the economy for standards organisations to mandate a one-size-fits-all solution. Continued flexibility is the right way to go to address this complex risk."

The Financial Services Technology Consortium (FSTC) has announced that the General Services Administration (GSA) is requesting information on the capability of commercial and other entities to provide identity credential services to support public access to Internet-based online government services. A copy of the RFI is available for download.   » Continue Reading

Glenbrook's Linda Elliott has been following the banking industry's efforts to comply with the FFIEC Internet Banking Guidance issued almost a year ago. Here, Linda provides the following update on what the industry has been doing - and talking about:

The implementation deadline for FFIEC Internet Banking Guidance looms at the end of this year, and after almost a year of studying both the guidance and their options, banks are beginning to show their hands in addressing the guidance. Clarifications from the FFIEC last month added little to the set of considerations for most institutions, but re-iterated that the implementation target is the end of the year, and that ‘do nothing’ was not considered a valid response, even if a bank is willing to accept the inherent risk in that approach.   » Continue Reading

RSA Security has announced that Goldleaf Technologies is now offering the RSA Adaptive Authentication solution to its banking and credit union customers.   » Continue Reading

Griff Witte writes for the Washington Post about the upcoming issuance of new federal employee ID cards and how the use of biometric and other technologies in those cards could spur usage in other applications - potentially including banking and payments.

Wells Fargo has announced several upgrades to its online security platform "designed to give customers and businesses even more protection in the fight against Internet fraud."   » Continue Reading

Arcot Systems has announced that All Points Capital, a subsidiary of North Fork Bank, has chosen the Arcot's WebFort multi-factor authentication solution for authenticating financial institution customers into its online transaction portal. The ability to also use Arcot's solution for secure digital signing of electronic documents was an important factor in All Points' decision.   » Continue Reading