Technology To Authenticate Internet Banking Users Threatens Consumer Privacy

04.24.2009

A technology that’s commonly used to authenticate users when they log in for online banking may help reduce fraud, but it reportedly does so at the expense of consumer privacy. This was announced by a civil liberties attorney during a panel at the RSA security conference yesterday.

When you login to a Bank’s web sites, you are typically asked for user name and password. But that’s on the face of it; behind the scenes, the web site’s server is typically trying to identify the device that’s being used – in an attempt to verify that the person logging in is the person whose account is being accessed (under the assumption that most people use the same computer for banking).

The technology not only can be used to allow legitimate customers into Web sites, but also to block computers that have been targeted as “bad actors,” said Todd Inskeep, a senior vice president for the Center for the Future of Banking at Bank of America.

Even though none of the information gathered during a log-in is personally identifiable, the bank shouldn’t have to collect regular data on when, how often and from where a consumer accesses a bank account, said Jennifer Granick of the Electronic Frontier Foundation. Such information can typically be compiled with other more sensitive information to create profiles and cross referenced to learn more about consumers, she said.

There is very little privacy protection in the U.S. for this type of information,” Granick said. “We don’t want it shared with affiliates that do advertising.” There should be restrictions on how long the bank will keep the data, who it can share it with and for what purposes, she added.