Online banking too risky? Some say yes

Even as antifraud efforts increase, study finds that 18 percent of Americans are turning back to offline transactions.

Even as banks and regulators step up efforts to thwart identity theft over the Internet, the worry that fraudsters remain one step ahead is convincing many Americans that banking online is too risky.

At an identity theft forum in New York on Tuesday, security and policy experts said banks are taking appropriate steps to stop online criminals but that their best efforts--and consumers' own vigilance--may not be enough.

"Consumers can do everything right--not give out passwords or financial information--and still become victims," Susanna Montezemolo, a policy analyst at Consumers Union, said in an interview.

An October survey commissioned by Internet security company Entrust and released at the forum found that 18 percent of Americans who have banked online now do so less, or not at all, because of security concerns. Ninety-four percent say they're willing to accept extra online security protections.

The survey was conducted around the time that the Federal Financial Institutions Examination Council ordered banks to tighten online access by late 2006.

The council, composed of U.S. regulators such as the Federal Reserve and Federal Deposit Insurance Corp. (FDIC), expects banks to require at least two forms of authentication when the risks of online breaches are too high. The second form can include smart cards, tokens that generate random passwords, or biometrics that identify fingerprints or handwriting.

Some 10 million Americans are ID theft victims each year, the Federal Trade Commission estimates.

Congress is considering national standards to fight ID theft. Michael Oxley (R-Ohio), chairman of the House Committee on Financial Services, said victims of ID theft spend an average 90 hours and $1,700 resolving the problem.

Perhaps the best-known form of online theft is "phishing." This is the act of sending e-mails asking prospective victims to verify personal information through links to real-looking Web sites. There were 13,776 distinct phishing attacks in August, according to the Anti-Phishing Working Group.

Fraudsters soon graduated to spyware and key logging, or monitoring prospective victims' Web use and keystrokes.

This year, security experts have seen a surge in "pharming." This is the act of redirecting user traffic at legitimate Web sites to fraudulent sites or proxy servers without any overt indication that they are doing so.

"Spyware, key loggers and pharming are really growing," Michael Jackson, associate director of technology supervision at the FDIC, said in an interview. "Banks could step it up a notch in terms of security, which is why we have the guidance."

Still, in banking, traditional forms of theft, such as check fraud, remain more prevalent than online theft.

Consumers, moreover, complain about cumbersome security procedures. Tuesday's survey showed that 81 percent don't want to pay for extra online-banking protection.

Consumers Union's Montezemolo said computer users should make sure that their online connections are secure, vary the identifying information they use on accounts and not work with their accounts on shared computers.

She also urged banks not to share client information among affiliates and not to assign such obvious data as Social Security numbers as default logins.

"They'll never have 100 percent control," she said. "But we need to empower consumers to opt out on whether information is used and give them tools to take more control."

InfoSurv conducted the online survey of 710 people for Addison, Texas-based Entrust during the week of Oct. 17. The margin of error is three percentage points.

Autoplay: ON Autoplay: OFF