What Banks Are Doing About Phishing

(Direct) There’s good news and bad news for banks about phishing, the scam in which identity thieves masquerading as trusted companies send out e-mail to induce recipients to click on a link, go to a Web page and give up their personal information.

The good news? More people are becoming aware of the threat. The bad news: This awareness may be leading recipients to delete authentic e-mail communications from their banks—including newsletters—on the suspicion they’re fraudulent.

Wachovia Corp. encountered this problem when it sent out e-mail in spring 2005 advising customers of a new log-in Web page after its merger with First Union Bank. The customer service desk promptly received a flood of phone reports of a potential phishing scam.

Realizing that malefactors had polluted its e-mail stream to consumers, Wachovia moved to set up a secure online message center through which all account information must now travel. Online customers get an e-mail that tells them a message has arrived in their Wachovia mailbox, but without an active link to the message center. It’s then the customer’s responsibility to surf to the proper URL, log in with user name and password, and open the message. Lesson learned on Wachovia’s part: In notifying customers of a subsequent acquisition of SouthTrust Corp., the bank went back to mailing paper letters.

Wachovia’s message-center technique trades some of the efficiency of e-mail for increased security, an option that might be attractive to other companies and some e-mail newsletter publishers. But that may make it a less than ideal solution, since at least some portion of online banking users won’t take the time — or have the Internet know-how — to find their own way to the message center.

Another large financial institution has taken a different tack to reclaim e-mail as a customer communications channel. Bank of America, also in Charlotte NC, has deployed technology from PassMark Security that should help retain e-mail as a useful medium for getting its operational messages and marketing offers out to bank users. SiteKey, the PassMark solution used by B of A, involves what’s known as “two-factor authentication.” Customers are invited to sign up for the free service by choosing a digital image from a library of thousands: everything from ice skates and cowboy hats to penguins and sailboats. At the same time, they concoct three “challenge questions” for further authentication if necessary.

The next time a registered SiteKey user logs on to the bank’s Web site, he enters his user name. The bank’s system matches that user ID to a unique identifier that SiteKey places on the customer’s computer. If the B of A server finds a match, it serves up a pop-up of the image the customer selected at registration. Reassured that he is indeed logging on to the official B of A Web site, the customer can then proceed to enter his password and bank more securely.

“The system offers assurance to the bank that you are really you, using a device with a machine ID that you’ve used before to access your account,” says Mark Goines, PassMark’s chief marketing officer. “And two-way authentication means you can be sure the bank’s Web site is real and thus feel comfortable entering your password and any other personal data your banking business may call for.”

SiteKey also will be applied to Bank of America’s e-mail communications with its customers. After linking that same digital image to a user’s e-mail address, the picture is inserted as HTML code into outbound B of A e-mail messages, using the same technology that direct mailers use to customize messages with targeted offers.

Bank of America customers who open that e-mail can therefore get the same reassurance of legitimacy that they get on the Internet. This then will allow B of A to make fuller use of e-mail to transact banking business the most efficient way — by including live hyperlinks to Web offers, account log-ins, bill payment centers or other action items directly within the message rather than forcing users to get out of their mailboxes and surf to a site on the Web under their own steam.

One of PassMark’s potential weaknesses, of course, is that users either have to have their preview pane open when checking e-mail or trust the purported bank e-mail enough to open it. Other users may not be able to see HTML code at all in their e-mail.

To overcome these restrictions, the SiteKey platform has users associate a PassMark phrase with their image choice at registration: something random, simple and personal, such as “Maui trip” to accompany a sailboat picture. That phrase is then used in the subject line of the message to increase opens, and in the spot next to the image in the e-mail itself, so a user who can’t see the image can still be reasonably confident the e-mail really is from Bank of America.

PassMark’s solution can place the necessary servers either on the bank’s premises or with its third-party e-mail sender. Most financial institutions PassMark has been talking with want to keep the Internet log-in authentication system within their own walls, Goines says.

But when it comes to the e-mail authentication portion, customers have shown they’re as comfortable outsourcing that to third parties as they are any other e-mail function.

“We’re fine with adding this image processing to an outside vendor, provided we can protect the images [on third-party e-mail platforms] with our own secure token technology,” he says. “We separate the user ID names from the images and encrypt them, so no employee can break in and get both authentication keys. You might grab the image, but you’ll never know which e-mail address it relates to.”