Banks Told to Strengthen Web Security

Banks will be mandated to strengthen the security of online banking sites by the end of next year thanks to a new ruling handed down by the Federal Financial Institutions Examination Council.

Single-factor authentication, such as a password or PIN which most banks use today, will no longer be permitted.

Instead, two or more forms of authentication will be required. The second form of identification has been left open-ended, which means it could not necessarily mean a second password. Rather, banks could offer other ways to identify users, such as a special security certificate or even biometrics.

"The continued growth of Internet banking and other forms of electronic banking activities and the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers," the council said in a statement explaining the ruling.

The group said would be cognizant of banks that may have been affected by Hurricane Katrina and Rita, and would offer extensions to those banks on a per-case basis.

With luck, the new policies could reduce the occurrences of online identity theft, known as phishing, and prevent money laundering and terrorist funding, the group says.

About 80 percent of the 8,800 federally insured banks have a Web site, although not all offer online banking, according to FDIC research. Earlier in the year, the FDIC ordered banks to alert customers who may have been victims of identity theft.