NEW YORK (CNN/Money) -
Federal regulators are pushing banks for an extra layer of security to fight cyber thieves -- a move that could end up costing you more if you do your banking online.
An umbrella organization of regulators last month called on banks to require online customers to provide more than just their user names and passwords to access their accounts by the end of 2006.
But just what type of improved security process will be enacted is up in the air as banks weigh the risks they face with the costs of going more high-tech.
"Regulators have left it up to financial institutions to determine their own risk level and then decide what would be an appropriate security measure," said Ariana-Michele Moore, senior analyst at Celent LLC, a research and consulting firm.
"Costs are going to vary significantly with some banks experiencing only pennies per transaction while it could cost other banks over $5 a month per user."
Improving Internet security is going to ultimately raise expenses for the banking industry, experts said.
But whether banks will incur a one-time charge or will have ongoing expenses that can be passed on to consumers depends on what steps each bank takes, said David Barr, a spokesman at the Federal Deposit Insurance Corp.
He said it was too early to determine what types of fees, if any, banks may consider charging consumers to make up for the costs of the new security measures.
Doug Johnson, a senior policy analyst at the American Bankers Association, said it was unlikely consumers would see a direct charge for online banking.
Since most big banks usually offer free Internet banking, he said, they could risk losing customers if they started charging to offset the cost of new security measures.
Additional layers of security
There are a number of options for financial institutions to consider.
Some banks, such as Bank of America, are launching a "knowledge-based" software service, which requires customers to pick one of thousands of images, write a brief phrase and select a number of questions -- such as the name of a childhood pet or the street you lived on as a child. Those question and images are then randomly asked to authenticate an individual's identity when they go online.
While this method is considered the most unobtrusive and least expensive, there is some concern it may not go far enough. Bank of America, the nation's No. 2 bank, declined to comment on how much it's spending on the technology.
But Jim Sizemore, chief investment officer at Fiserv Information Technology Inc., a provider of banking technology services, estimated that "knowledge-based" authentication can cost a bank as little as $1 an account a year.
Sizemore said it's a step up from current security measures but warned that resourceful hackers can still target individuals and monitor their keystrokes over time in order to glean answers for the security questions. That opens the door for potential security breaches down the road.
A more expensive option
FDIC's Barr said banks are more at risk of losing money if they don't take action against cyber thieves because ultimately banks are responsible for replacing any stolen funds for consumers.
For that reason, some institutions are warming up to tokens and smart cards that display randomly changing code numbers every minute -- hardware that can be more expensive.
Online broker E-Trade, for instance, already gives customers with $50,000 or more in their accounts a free digital Secure ID device from RSA Security.
Wachovia, the No. 4 bank, which has 3.2 million online customers, said the company is looking at both software platforms and token technology.
Doug Caldwell, a spokesman for Wachovia, said the bank is weighing its options and depending on customer needs, may provide both options. He said it was too early to say whether the company will company will pass on costs of the new security checks to its consumers.
Information Technology's Sizemore said that tokens will cost banks at least $10 to $15 apiece. Some estimates peg the cost of purchasing a token at $50 each. "If you take a traditional bank with 40,000 online customers, it can get very expensive quickly," he said.
Christopher Young, vice president of consumer authentication services at RSA, said that as tokens become more commonplace, the costs for banks should come down. He added that current costs will vary depending on the type of service banks sign up for and the volume of tokens banks offer customers.
So what are banks likely to do?
Probably a combination of a low-end knowledge-based process and more expensive hardware technology, said Sizemore. "Most banks are saying that they don't know how to pass along the costs of these security measures," he said.
He said that while it's still early in the game, he expects banks will offer consumers less expensive new security measures and eat the cost while charging corporate users.
Hackers are increasingly targeting online bank accounts. Click here for more.