The Federal Deposit Insurance Corporation is urging US banks to abandon single password-based ID systems in favour of two-factor authentication following a sharp rise in 'account hijacking' ID theft.
The outline guidance follows an FDIC investigation into the problem, which suggests that unauthorised access to bank accounts is the fastest growing form of identity theft.
In publishing its findings, the agency points to Federal Trade Commission estimates that almost 2 million US adult Internet users experienced this type of fraud during the 12 months ending in April 2004. Of those, 70% did their banking or paid their bills online and over half believed that they had received a phishing e-mail.
The FDIC says that fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking.
The regulator says financial institutions and government agencies should consider a number of steps to reduce online fraud, including upgrading existing password-based single-factor customer authentication systems to two-factor authentication systems.
The FDIC says banks should also use scanning software to pro-actively defend against phishing attacks. Customer education and information sharing among banks is also recommended.
The FDIC says it hopes to use the study to formulate guidance to bankers next year. Comments are invited by 11 February, 2005.