FDIC Warns: Banking Customers may Resist Authentication Methods that Solicit Personal Information

Share Article

Financial institutions who are racing to adopt a "challenge question / response" approach to authentication could be setting themselves up for an unpleasant shock.

On December 14, 2004, the Federal Deposit Insurance Corp (the FDIC) released a widely publicized study entitled "Putting an End to Account-Hijacking Identity Theft." In this study, the FDIC outlined a number of ways U.S. financial institutions could begin to address the problem of account hijacking and identity theft.

In the wake of this study, the FFIEC and other agencies published regulatory guidelines which are dramatically changing the face of online banking in the United States. Authentication vendors quickly followed suit by introducing a host of authentication products to the financial market, the most common of which use some form of the "challenge question / response" concept.


In the "challenge question / response" concept, consumers are prompted to supply personal information in response to challenge questions. If the consumer can answer the question properly, the financial institution presumes they are who they claim to be and permit them to access the account. At this time, there are no less than twenty different vendors offering some variation of this concept, including Passmark Sitekey, Cyota, Business Signatures, and Digital Resolve.

Financial institutions who are racing to adopt these "challenge question / response" approaches may be setting themselves up for an unpleasant shock.


On June 17, 2005, the FDIC published a supplement to its earlier study which has been largely overlooked by the financial industry and authentication vendors. In this supplement, the FDIC noted several important omissions in its earlier study, reported on industry and consumer acceptance of its earlier recommendations, and then cautioned against adopting authentication methods that use personal information solicited from consumers.

The FDIC wrote, "Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally."

They warned that U.S. financial institutions should be prepared to meet stiff resistance from their customers to any approach that relies on personal information, stating "When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information... Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism."

They also noted that "limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance," and cited one study warning that "two-thirds of respondents said they will switch banks if their bank fails to secure their personal information."


Bank of America was one of the first financial institutions to adopt this "challenge question / response" approach when they implemented Passmark Sitekey. Passmark Sitekey attempts to locate a file previously saved to the customer’s computer. However, for millions of online consumers who routinely block such actions, Sitekey solicits personal information in response to challenge questions.

Almost immediately, Bank of America customers began complaining about Sitekey's solicitation of their personal information. On one online forum (slashdot.org), BofA bank customers were openly outraged by this approach:

"So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity? What kind of idiot came up with that idea?"

"The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you"

"I need to provide the website with all my secret details and only after I have authenticated I can find out if their site is legitimate?"


There is at least one multi-factor authentication solution that does not solicit personal information from consumers. PhishCops by Sestus Data Corporation uses government-approved mathematic algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce. The company reports PhishCops was designed from its inception in accordance with FDIC and FFIEC regulatory requirements and represents a revolutionary new approach in authentication.

PhishCops is a new approach but it appears to be gaining momentum quickly. The company reports that since its formal introduction to the market in March of this year, they have been contacted by over 350 organizations for additional information or to begin implementation. For its breakthrough in multi-factor authentication, the U.S. government named PhishCops a semi-finalist for the 2005 Homeland Security Award and InfoWorld Magazine awarded it its highest honor, the InfoWorld 100 Award.

In a recent survey, PhishCops was rated #1 among two-factor authentication solutions, offering the lowest total cost of ownership with the fastest implementation time and least support requirements. This is good news for business owners. Perhaps more important, however, PhishCops authenticates without soliciting personal information. This is good news for consumers who value their privacy in an increasingly insecure online world.

Company website: http://www.phishcops.com


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact
Sestus Data Corporation
Email >