Interesting exercise by Sarah.

Two comments:

1) My experience has been similar - the call center reps know little about security. I called Wells Fargo to ask why after I had changed my username from the default SS#, my SS# was still a valid login? This had the impact of having two log-ins and one password - increasing the risk. I was told how great the securty at Wells Fargo was and no one else had had any issues. I filed a formal request for someone in security to get back to me - never heard back from them.

2) Sarah, do you think the banks are going to do something about additional authentication factor as tokens?

Thanks

In February of this year (2007) I was defrauded of over $10,000.00. It likely would not have been possible if Fifth Third Bank hadn't failed to implement the FFIEC authentication guidelines by the December 31, 2006 deadline.
Here's what happened: our accounting computer was infected with a keylogging malware/spyware program - even though it is scanned nightly and we regularly change our password - and someone accessed our online account with merely the username and password. We reported the fraudulent ACH transactions within hours of their occurrence but Fifth Third Bank has refused to refund our money claiming they have no liability. I always thought my money was safe at the bank. Apparently I was wrong; or did I just choose the wrong bank?

Columbus - sounds like you are representing a business customer of Fifth Third. Unfortunately, businesses do not have the same legal protections as consumers when it comes to online banking but most large banks do offer or even require that business customers who initiate ACH payments online to use some form of two factor authentication (tokens, digital certificates etc). You should check your company's contract with the bank for online services, there should be a clause in there regarding commercially reasonable security procedures for initiating payments. Post-FFIEC deadline, it is hard to imagine that initiating ACH payments with just a username and password would be considered commercially reasonable.

To the anonymous reader who asks about two-factor authentication and tokens: I just don't think the banks are going to go there for non-business customers. They're not willing to force customers to use a token, and if they offer it as an option, it doesn't "count" as far as the FFIEC regs are concerned. The vendors are trying to turn the "something you have" into your computer, with some interesting device recognition technology. Only time will tell whether this is as effective as tokens.
-Sarah

@Sarah:
'They're not willing to force customers to use a token'

I rather think the issue is that they are unwilling to bear the cost of equipping their customers with a token. Unfortunately, most customers are unwilling to bear that cost as well.

--
'The vendors are trying to turn the "something you have" into your computer'

yep. My bank does this by letting you "register" your computer with them. They then place a cookie on your computer, and check for the presence of it next time you sign in. If the cookie is there, you just need the username/password. If it's not, you then have to answer 3 "personal" questions.

I won't go into all the reasons that this process is broken (anyone with access to the PC can copy the cookies being just one of them). In my case, I've set my browser to remove cookies on shutting it down. This means that I always have to answer the questions (which is fine by me.)

Of course, the questions themselves are flawed (what city were you born in?, what school did you graduate from?, what year? ... all publicly available information). But that's a different topic =)

It's NOT that the banks don't have the proper authentication in place, rather it is a training issue for those that field calls from the public or clients.

Call center reps should have a script readily available that explains the authentication in place, as my bank does.

For the more technical inquirer, a technical staff member at the bank should take the call if there are further questions.

If the bank's technical staff member can't put the caller at ease, then I would worry about that bank - and ONLY then.

PayPal offers a token, and for all practical purposes they are a bank.

I am a BofA online banking user. SiteKey is a pathetic joke - it offers no real protection against man-in-the-middle attacks or keyloggers. There is such a thing as DNS poisoning attacks.

Paypal now offers such a security device. https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside