Monday, June 13, 2011

US regulators may demand increased online banking security

US banking regulators are considering introducing tougher new rules to force banks to tighten access to online accounts, according to media reports.

New measures may include improving the security behind user passwords, the chairman of the Federal Deposit Insurance Corporation (FDIC), one of the US' banking regulators, has said, according to the Reuters news agency.

Banks may be asked to "strengthen their authentication when a customer logs onto online accounts," Sheila Bair, chairman of the FDIC, said, according to the Reuters report.

Regulators last updated their security guidance on internet banking in 2005, but proposed they be modernised late last year, the Reuters report said,

The regulators are "increasingly concerned that customer authentication methods implemented several years ago may no longer be effective ... [and are] also ... aware that some institutions have failed to perform periodic risk assessments and update their control mechanisms appropriately," the regulators said in December, according to Reuters.

Earlier this week Citigroup, the biggest financial services company in the world, confirmed that hackers had stolen personal data belonging to approximately 210,000 of its customers. The Financial Times had previously reported that the company's systems had been breached.

Names, account numbers and contact information was stolen, but other personal information was not taken, Citigroup said in a statement.

"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online," Citigroup said in its statement. "A limited number – roughly one percent – of Citi North America bankcard customers’ account information (such as name, account number and contact information including email address) was viewed."

"The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised," the statement said.

Citigroup said it was contacting customers whose information was exposed and said it had put in place "enhanced procedures" to prevent future data theft.

"For the security of these customers, we are not disclosing further details," Citigroup said.

Hackers could have a partial profile of customers that help them if they try to obtain more information from people directly, a security analyst has said.

"Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries," Chester Wisniewski, Senior Security Advisor at online security firm Sophos, said in a report.

"While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime," Wisniewski said.

"Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims," Wisniewski said.