E-Trade Rolls Out Two-Factor Identity Check

E-Trade announced last that it will roll out two-factor authentication for its retail customers. Explaining the move, an E-Trade spokesperson cited recent security breaches at ChoicePoint and Bank of America as examples of the risks customers face when it comes to their identity information.

Meanwhile, problems with hackers who "phish" for account information are keeping 20 percent of online consumers from opening e-mails that look like they're from their financial provider, reports Forrester Research.

"This is what's driving a lot of financial institutions to look at two-factor authentication," says Forrester analyst Jonathan Penn. "Two years ago, they would have said, No way.' They didn't think the fraud problem was big enough. But it's much more about this eroding trust in the Internet and especially in online finance."

E-Trade plans to make its customers' lives a little safer by offering them a key-chain gadget that generates a new six-digit code every 60 seconds. This is the "second factor" of the two-factor identification process, the first factor being a login ID and password.

The gadget keeps hackers from logging into a customer's account even if the login information is stolen, because that information alone is no longer enough.

The Digital Security ID, which will be available at the end of March, will be free to customers with $50,000 or more in combined E-Trade account assets, or who trade more than five times a month. Meanwhile, E-Trade's 5,000 top customers will be mailed the device automatically, without having to request it.

E-Trade Financial president Lou Klobuchar told Securities Industry News that he hopes to extend the program eventually to more of E-Trade's customer base.

E-Trade's pilot project has already proven that people are hungry for more security, says Klobuchar. "When we put our request for participation up on our Web site for this pilot, we weren't sure how long it would take to get a few hundred customers signed up for it, and we were oversubscribed in hours," he says.

The customers report that they like it, and feel more secure about using E-Trade's online services. "They're included to use more products and they're inclined to put more assets with such a company," says Klobuchar.

E-Trade's rollout could represent the start of a trend, says Forrester's Penn. "With all the phishing attacks and spyware and other hacks that have been bombarding consumers, they're increasingly wary about doing business on the Internet and it's affecting the financial services quite strongly," he says.

In addition, financial firms that don't step up their security might face additional risks as other firms do just that. That's because hackers first go after the lowest-hanging fruit, says Elsa Lee, CEO of Advantage Security and Competitive Intelligence, a corporate and homeland security service provider based in El Segundo, Calif.

Lee also served for 20 years in the U.S. Army as an intelligence officer, investigating and tracking a variety of criminals, including terrorists, corporate spies, hackers and information thieves.

"The thieves would go find easier targets," Lee concedes. "But if everyone in the financial community would simultaneously move forward then it would make it harder for thieves and hackers." No institution is exempt from this threat, she adds.

Even if it looks as though only the biggest firms are targeted--the Citibanks and eBays of the world--once a thief has access to one account, they don't just move on, satisfied.

"In my experiences with identity thieves, they are not just accessing one account," says Lee. "Once they have access to one account, of either a business or individual, they will make every effort to identity how many other accounts are linked to that person or that business and see if they can get access to those accounts."

The criminals leverage the initial set of identity information, she says, then run credit checks and take other steps to ferret out all other accounts.

A crucial factor that makes this possible? Users often reuse account names and passwords to make their lives easier.

According to Lee, financial firms should make a concerted, industrywide effort to increase the security measures available for their customers, and the government should step in with better laws and enforcement.

"In some countries, like the United States, identity theft is difficult to prosecute and if successfully prosecuted, the penalties are not stiff," she says. "The criminal resumes the same criminal activities shortly upon release from any jail sentence. Stronger legislation and international cooperation would make identity-theft cases stemming from Web activities easier to investigate and prosecute successfully."

Meanwhile, Lee explains, it's best that the two factors in two-factor authentication be distinct from one another. For example, if the second factor were a digital certificate, a stolen laptop might have the certificate and the login information stored in the same place.

With a token such as the one E-Trade is using, however, it's highly unlikely that a hacker would be able to steal both the token and the login information. Lee says she hasn't seen any cases of this happening, adding that the tokens have been around long enough that prices have come down to a level where they're practical to deploy. "They've got price structures that fit most organizations," Lee says.

E-Trade's Klobuchar wouldn't disclose exactly how much E-Trade was paying RSA for the gadgets, which measure two inches by three quarter of an inch and can be attached to a key chain. "The cost of this device should not be an impediment to anybody who wants to use it," says Klobuchar. "They're not outrageously expensive."

Customers will still need to take security precautions, says Klobuchar, such as not giving out their login information, or picking easy-to-guess passwords. Taping the login ID and password to the security device is also not recommended. "We also recommend that they don't tape their device next to their taped-up password on the computer," Klobuchar says.

The device generates a new, random six-digit number every 60 seconds. The number is added on to the end of the user's normal password, making the password six digits longer and that much harder to guess. Also, a hacker who electronically steals this information with a snooping program won't be able to use it because the number almost immediately changes.

It's not a completely foolproof method, but it makes it much, much harder for hackers to get into an E-Trade account--meaning that they'll likely move onto easier targets.

"There's a deterrent effect," Klobuchar says. "That's really what this is about."

Klobuchar acknowledges that there might be some inconveniences associated with the device. It can be easily misplaced, for example, or a user with multiple accounts at various financial firms might eventually have to carry several of these devices around.

"We solve that problem by making it the customer's choice," says Klobuchar. "If they care about this, and they want this additional level of security, we're providing them with a solution. If there was no inconvenience whatsoever to using it, it wouldn't be much of a solution."