Passwords + Pictures = Security?


Passwords + Pictures = Security?

It's getting harder for crooks -- and for you -- to access your financial accounts.

Memorizing a password just does not cut it anymore. Before you access a Bank of America account online, you'll be asked to verify an identifying image (say, a chess piece or some other object) and a phrase that pop up when you log in. E*Trade Financial offers a gadget that works like a digital decoder ring to unlock your account information. Wachovia might ask you for the name of your high school mascot before letting you pull up your bank statement. And some financial firms are experimenting with anti-fraud devices that will take your fingerprint or scan your iris to protect your identity and your money.

Blame financial regulators for the added inconvenience. It's part of an effort to combat identity fraud, which cost the economy a total of $49 billion last year, according to Javelin Strategy & Research.

Sponsored Content

About 3.7% of U.S. adults were victims of identity fraud in 2006. That percentage was actually down a bit from 2005, perhaps because regulators have required banks to improve online security to make sure you are who you say you are when you log in. And many other financial firms are beefing up their defenses as well. "By the end of the year, the security process will be very different," says Gwenn Bézard, a research director at Aite Group, which studies online security.

Cyber armor. Companies can select the kind of cyber armor they wear, and Bank of America, ING Direct and Vanguard are up front about their choice: They require you to select an image and a phrase that will appear on your computer screen before you type in your password. If you log on and the image and phrase aren't the ones you chose, you may have been directed to a fake Web site designed to steal your personal information.


Wachovia's security is more subtle. Each time you log on to a Wachovia account, bank software rates the risk that you could be a crook. Use your home computer and you're likely to get hassle-free access. Log on from an Internet café in Hoboken, N.J., then from one in Boston, and you'll probably have to cough up some personal details, such as the name of a favorite childhood pet.

A number of sites call on your people-watching skills. Web-security company Passfaces created an authentication system, adopted by Midwest Independent Bank, that features Brady Bunch-like groups of nine faces. You select three of the faces when you register your account, and you must recognize them in sequence each time you sign on.

Sometimes extra protection comes in small packages. E*Trade customers can request a device called a Digital Security ID, which is small enough to attach to your key chain and spits out a six-digit code when you log on. The number sequence changes every 60 seconds to prevent thieves from stealing your code. Customers who trade more than 30 times every three months get a free Digital Security ID; otherwise, the device costs $25.

Biometric identification -- the scanning of eyes or fingerprints -- is also in use. At a dozen branches in Utah and Idaho, Zions Bank is testing a system that lets customers cash checks if they are willing to use their fingerprints to identify themselves.


Will it work? All the extra fuss may not make our money any safer. When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected. The system raises the bar for criminals, says Rachna Dhamija, one of the researchers who conducted the study, but "if users don't comply, it's entirely ineffective. They are going to be giving out their credentials to the wrong Web sites."

But let's face it: It's tough to remember images in addition to multiple codes and user names. To help, a number of software programs -- Password Agent ($25), Handy Password ($30) and RoboForm Pro ($30) -- track all your passwords and stow them in a protected file on your computer or handheld device. Of course, you'll have to create yet another password and user name to access their protected files.

No matter how sophisticated it is, no single online-security measure is scam-proof. Even biometric doodads and high-tech code keys can be thwarted. David Cowan, co-founder of VeriSign, an Internet-security firm, says that many crimes could be prevented if banks simply made phone calls to account holders to confirm unusual or suspicious online activity -- such as transfers of large sums of money to other accounts or changes to mailing addresses for accounts.