The Federal Deposit Insurance Corporation says US banks "can and should do more" to protect the security and confidentiality of sensitive customer data in order to prevent account hijacking.
User names and passwords should be supported in Internet banking transactions with new and better ways of identifying real customers, according to an update on identity theft from the US regulatory agency.
In December, the FDIC urged US banks to abandon single password-based ID systems and introduce two-factor authentication for Web banking customers.
"Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers," says FDIC Chairman Don Powell. "Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure."
In its update, the FDIC says that the risk assessment financial institutions are required to perform regarding information security also should address customer authentication. Furthermore, banks have an obligation to properly secure all delivery channels, so user names and passwords should be supported in Internet banking transactions with multi-factor authentication.
FDIC says that it does not intend to propose one solution for all, but consumers are concerned about online security and will be receptive to using a new form of authentication if they perceive it as offering improved safety and convenience.
The FDIC and other federal banking agencies are expected to issue guidance this autumn to member firms about improving the security of customer authentication methods.
Earlier this month the FDIC suffered the embarrassment of having to warn thousands of current and former employees that their sensitive personal information was breached, leading to a number of fraudulent loan applications at a credit union.