BOSTON -- If you do banking over the Internet, generally the drill is pretty simple: You enter your user name and password, and away you go. But behind the scenes, the bank can do a lot to check you out: Are you at your home computer, or at one with an Internet address that, strangely, is registered overseas? Are you logging on at an unusual time of day, or from a super-fast connection when normally you have dial-up?

"Phishers" and other Internet fraud artists have become adept at stealing passwords, mainly through "social engineering." Preying on people's propensity to believe something seemingly authoritative, criminals send authentic-looking e-mails that send unsuspecting people to an authentic-looking Web site where they give away their data.

Many banks overseas, where data-privacy laws are stronger, already have deployed a second level of authentication. They give customers specialized hardware, such as a "smart card" or an electronic token that displays a changing series of passcodes.

"We're trying to come up with something here that's very user-friendly," said Jim Maloney, chief security executive of Corillian Corp., a Web-banking services company that offers login-analysis software.

If the software raises red flags about a user's profile -- because, say, he one day logs in from Denmark instead of Denver -- the bank can confirm his identity by asking a series of questions that only he is likely to know, such as the amount of his last mortgage payment, or the street he grew up on.

That kind of fraud detection has long existed on credit cards, and the fact that Web banking has yet to widely deploy it says a lot about the state of the industry.

Although identity theft and other financial fraud have garnered a lot of attention and are believed to be getting more sophisticated, banks have been reluctant to do anything to increase the cost and complexity of their Web sites.

After all, the Internet is supposed to be banks' low-cost platform, cheaper than having customers deal with tellers or ring up the help desk. The efficiencies of self-service Web banking likely have outweighed the costs of fraud, which some estimates have placed as low as $137 million worldwide in 2004.

"Right now banks don't have that much security around checking accounts," said Avivah Litan, an analyst with the Gartner research firm. "Generally speaking, their losses are pretty tolerable."

However, on Oct. 12, the Federal Financial Institutions Examination Council, an umbrella group of U.S. regulators including the Federal Reserve and the Federal Deposit Insurance Corp., told banks to strengthen their online authentication by the end of 2006. Auditors will examine those efforts in regular inspections.

The policy was widely interpreted as a boost for security providers, who are tired of seeing banks kick the tires of two-factor authentication services but generally not buy.

According to a June report from the FDIC, a handful of U.S. banks had given customers tokens with passcodes that change every minute. The codes are generated by an algorithm programmed into the token and confirmed on a central authenticating server, making the password impossible to guess.

But tokens create their own headaches. They're relatively costly to deploy and can prompt lots of calls to customer service if they're lost or temporarily out of reach. Banks also fear a "necklace" scenario in which customers end up collecting an annoying strand of tokens from all the companies they do business with online.

After ETrade Financial Corp. began offering tokens from RSA Security Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost all those people could get the gadgets for free because they were frequent traders or had more than $50,000 in their accounts; everyone else had to pay $25.

One-time passwords can be given out in less expensive ways. They can be beamed to a cell phone or handheld computer, or mailed to customers on scratch-off cards.

But security experts warn that one-time passwords can be stolen in a "man-in-the-middle" attack, in which a con artist harvests a victim's code on a phony Web site and instantly relays it to the real bank, then conducts transactions in her name. Such frauds are rare -- if they happen at all -- but that's partly because there are so many easier targets, for now.

This is cache, read story here