Consumers who use online banking services could be required to provide additional identifying information each time they log in, under guidelines issued by federal regulators hoping to stem the rising tide of identity fraud and theft.
Instead of relying on just a user name and password, for example, consumers might be asked to enter an access code that is beamed to a device they carry, or to scan a fingerprint, before they can log in to their accounts.
But some computer security experts warn that the guidelines, issued last week, fall well short of needed requirements to thwart computer crime.
Because most Internet commerce Web sites, including those of financial institutions, primarily require only user names and passwords to gain access, cyber-thieves spend a lot of energy trying to obtain such information.
They employ "phishing" -- in which users are tricked into providing the information through the use of fake security notices or authentic-looking Web sites -- or they implant malicious software code on people's machines that can monitor keyboard strokes or read data files.
Once the vandals have the user names and passwords, it becomes easy to compromise accounts, gather more personal data or even assume the financial identity of a victim.
Using several layers of security -- or "multi-factor authentication" -- would help solve this, according to the Federal Financial Institutions Examination Council, an umbrella group for regulators at the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration.
The council did not recommend any particular additional security technology in its new guidelines.
But its members consider "single-factor authentication . . . to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council said.
Financial institutions have mostly resisted moving to multi-factor authentication because it is more expensive and because they fear making online banking more cumbersome and thus less attractive to consumers. The banks also vow that they already take the necessary steps to secure their sites, their networks and their customers' personal information.
The council, however, is not requiring the banks to add security layers. Instead, banks must perform risk assessments to determine whether their systems should be upgraded.
"The risk assessments provide bankers with more flexibility to tailor security measures to better safeguard their customers . . . than would a mandate from regulators," said David Barr, a spokesman for the FDIC. Barr said regulators can determine that the risk assessments are inadequate and then require additional measures.
Security experts said the council's moves are insufficient. "With over tens of millions of Americans losing their identities annually, you would think the regulators would mandate a behavioral change without loopholes," said Tom Kellermann, a computer security consultant and former data risk specialist for the World Bank.
Alan Paller, director of research at the SANS Institute, a cyber-security think tank, said, "It's a crime" that the United States is not following the lead of countries such as Hong Kong and Singapore in requiring multiple authentication.
"It does require government action," he said, because banks are not taking steps on their own. He said the deregulatory approach, in this case, "is breaking security instead of improving security."