Bank Technology News
Wednesday, May 30, 2007

Security: When Lock Downs Lock Out The Blind

By Rebecca Sausner

Banks and vendors are working to make online tools secure and usable for the
visually impaired

The Federal Financial Institution Examinations Council mandated that banks
lock down their online banking applications as of January 1 of this year.
Most complied, and that has kept attorney Daniel Goldstein, who represents
the National Federation of the Blind, extremely busy. "We are fielding an
increasing number of complaints from blind people who had been very happily
using their bank's Web services for years and are finding they can't any
longer," Goldstein says. "We're going from accessibility to
non-accessibility because of the security features."

One security measure particularly vexing to blind users are CAPTCHAs
(scrambled words users must decipher in order to complete some online
transactions) because they can't be deciphered by screen reading software.
CAPTCHAs, meant to foil automated Web crawlers by requiring human
intervention, aren't widely used in banking, but disability rights activists
say they are an issue in some online banking applications. "People are
concerned because the visual CAPTCHAs are completely inaccessible," says
Lainey Feingold, a disability rights attorney.

In response, major banks and big-name authentication vendors are trying
ensure that their online banking tools are accessible to blind. Disability
rights activists often laud Bank of America and Wells Fargo for their great
track record of ensuring accessibility. BofA's SiteKey picture gallery
includes thousands of uniquely named images that users can select as part of
their mutually authenticated login, says Betty Riess, BofA spokeswoman.
Authentication vendor Entrust's authentication platform offers a variety of
blind-accessible security measures, including a Braille "bingo" card that
can be used as a second factor, says Steve Neville, director of identity
products and solutions at Entrust. And VASCO Data Security offers
one-time-password tokens that read out passwords and come with headsets for
added security.