Today there's no sure way for customers to know if they're on a legitimate bank site or a spoofed one -- which puts both customers and banks at risk.

So the Financial Services Technology Consortium (FSTC) is building a testbed at Columbia University to study emerging products and technologies for authenticating a financial institution. Called the Financial Institutions to Consumers project, the initiative includes key software vendors such as Microsoft, RSA Security, and VeriSign.

Financial industry regulators already require banks to provide multifactor authentication for their online banking customers, but the other half of the equation yet to be addressed is strong authentication on the bank's side of the transaction, financial executives say. This institution-side authentication would assure customers that they're actually dealing with their bank, rather than a phisher, and underscores the growing pressure to build mutual authentication into financial transactions.

Banks are already required by the Federal Financial Institutions Examination Council to offer customers multifactor authentication. (See Putting Security in the Bank.)

"In addition to the idea of stronger authentication with the FFIEC regulations, there's also the need for mutual authentication," says Dan Schutzer, executive director of the FSTC. "Without that you are vulnerable no matter how strong your authentication is."

That means a customer would be at risk of a man-in-the-middle attack, for instance, he says. "No good authentication takes places unless the two parties know who they are dealing with." Most banks today just have the digital certificates in their SSL sessions, Schutzer says. Those certs just secure the session itself.

The newer, so-called "high assurance" certificate technology may be promising for helping banks protect their customers as well as themselves from a rising tide of spam and phishing emails, too, he says.

Dan Rhodes, policy manager for payments and technology for the American Bankers Association, agrees. "Mutual authentication is going to be next," he said at the Cyber Security Executive Summit in New York yesterday.

FSTC's project so far involves 24 organizations, although Schutzer can't name the participating banks. It will test upcoming browsers from Microsoft and Opera, for instance, next-generation authentication software from RSA and VeriSign, as well as other products. "Using a case study scenario, we'll provide services to a 'customer' over the Web and through email," he says. "Then we'll assess how vulnerable or not the 'customer' is to various threats."

The project will determine how reliable the high assurance certificate-based products are, as well as help banks understand how to deploy them. It also may yield a process where banks go to the Department of Treasury or the American Bankers Association to get their "seal" that shows users they are on a legitimate Website, or that the email from their bank really is genuine, Schutzer says. The process may also include digital signatures as a way to certify emails, for instance.

"Can I do this so that page can't be hijacked? We want to make sure these solutions are done so they aren't subject to hacks," he says. "And how do I want to deploy them for online banking, and how will customers use them?"

The FSTC plans to issue a report on the testbed in six months. It will provide banks with recommendations on how to implement their authentication.

— Kelly Jackson Higgins, Senior Editor, Dark Reading