As deadline nears, banks toughen Net protections

People who do their online banking with Cambridge Savings Bank will find it a little harder to log on in the New Year. But bank executives don't think the customers will mind. It's for their own good -- and besides, it's the law.

A federal regulation mandating tougher online financial security measures will take effect Monday. Banks, credit unions, and other financial institutions must begin using enhanced technologies to protect customer data against identity theft. Many of the nation's biggest banks, including Bank of America, have already introduced "multi factor" authentication systems that go well beyond the traditional user name and password approach to prevent Internet fraud. Other smaller banks, which buy their online banking services from independent contractors, are scrambling to meet the coming deadline.

Mark Tracy, senior vice president of back technology and operations at Cambridge Savings, said his company has been testing its new authentication system for the past two months, with help from customers who've agreed to try it. "It's been pretty successful so far," said Tracy. "In January, we'll be making it mandatory."

Cambridge Savings customers will receive a user name and password when they sign up for the service. In addition, the first time a customer uses his home or work computer to do some banking, the machine is given a unique digital "fingerprint" associated with the customer's password. Whenever he banks with that computer, the bank software checks his user name, password, and computer fingerprint before processing the transaction.

If someone tries to log in from a machine that isn't fingerprinted, the bank will send a confirmation message to the customer's e-mail address. A crook who's stolen somebody's user name and password probably won't have access to the victim's e-mail account, so he can't reply to the message, and won't be allowed to log in.

Bank of America began using similar security technology last year. In addition, the bank uses a system called SiteKey, marketed by EMC Corp. of Hopkinton. SiteKey shields users from "phishers" who steal passwords by running phony websites that resemble those of legitimate banks. SiteKey prevents this by letting the user select an image -- say, that of a typewriter --which appears on his screen whenever he logs into the real Bank of America site. Phony websites are easy to spot because they don't display the user's chosen image.

Passfaces Inc . of Washington, D.C., has signed up a number of Midwestern banks with a photo-based authentication system. During sign-up users are asked to memorize several photos of human faces. When logging in to do banking, some of these photos are displayed, along with other photos that the customer hasn't seen before. The user logs in by clicking on the familiar faces, but a would-be scammer has no way of knowing which photos to click. Lennie Myers, vice president of sales at Passfaces, said the system is far more versatile than EMC's SiteKey technology. "It can either augment or replace the password altogether," Myers said.

Peter Blanchard , vice president of member services for the Massachusetts Bankers Association, said that while large companies like Bank of America build their own security systems, hundreds of smaller banks outsource the work to "core processors" -- outside companies like Fiserv Inc . of Brookfield, Wis., which sell online banking services to financial institutions and credit unions.

Christine Barry, research director at Aite Group in Boston, predicted that some banks won't be ready for the January deadline, mainly because some core processors were slow to upgrade .

"A lot of these online banking providers didn't go live with their multifactor offerings until the summer," said Barry, leaving little time for hundreds of small banks to adopt the systems.

There's even some uncertainty about when the new law takes effect. An official at Pilgrim Co-Operative Bank in Cohasset, who declined to be named, said the regulation merely requires a bank to have its online security pla n in place by Monday, with additional time granted to implement the plan. "At the end of March, we will be online," the official said.

But David Barr, spokesman for the Federal Deposit Insurance Corp., one of the agencies that issued the new rules, said this is incorrect.

"We fully expect them to be ready," said Barr. "They're supposed to be able to throw the switch and be ready to go online Jan. 1."

Hiawatha Bray can be reached at bray@globe.com.