 | Graham Titterington, Principal Analyst, Ovum You Asked
What methods are Internet Banks deploying to protect their customers? | | |
The Expert's Answer
Fear of 'phishing' attacks and spyware is the main motivation for these developments, but banks are also hoping to reduce other forms of online fraud. The adoption of two-factor authentication makes it less critical if one factor (typically the user's password) is compromised. Improvements in security make good business sense. Banks risk losing business from worried customers, as well as direct financial loss, if they do not act to provide more assurance.
The Bank of America has announced that it is to introduce two-factor, two-way authentication to around 13 million online banking customers. It is following the advice of the Federal Deposit Insurance Corporation (FDIC).
This announcement is similar to many other recent announcements from the financial community around the world. The Hong Kong Monetary Authority (HKMA) said in 2004 that banks will be required to introduce two-factor authentication for online transactions by June 2005, and the banks are on course to roll it out to their 2.7 million Internet customers on schedule. Banks in Australia and the UK are following.
Each bank chooses its own approach
The most notable feature of all these developments is that the authorities are not specifying a particular collection of authentication approaches - only that there should be two factors for each user connection session. This is wise as it avoids liability if one particular means of authentication turns out to be less secure than anticipated.
It also dissipates hacker attention across many different mechanisms, and it enables each bank to choose the means that appear most appropriate to its customers. However, it reduces the market opportunity for vendors wishing to sell particular authentication products, such as fingerprint readers.
Already we are seeing a wide range of approaches, going beyond the predictable range of digital certificates, fingerprints, one-time passwords, and SMS message handshakes. For example, the Bank of America uses a digital checksum that is derived from an image of their regular computer, backed up by pass phrases, personal questions and image selection for initial registration and use of guest machines.
One notable feature of the Bank of America's approach is that the bank uses the pass phrase to authenticate itself to the user at the start of a session, indicating that the user has indeed reached the real banking website. This is a big step forward in technical SSL-level authentication, in that it gives business process-level assurance, despite its inherent simplicity.
The down side
Although most of the industry will welcome these developments, some banks are worried about the 'ease of use' implications arising out of strong authentication. For example, Egg Bank has expressed reservations about the direction that the industry is taking.
Customer perceptions are critical to success. We anticipate consumer reaction against Chip and PIN credit-card verification when consumers realise the limitations to the protection that it offers them. Although Chip and PIN applies to face-to-face credit-card transactions and is separate from the issue of authentication in remote banking transactions, consumer perceptions of the two issues will merge and evoke a similar reaction. The financial industry has to tread a fine line to keep its customers on side through these changes.
Is there an alternative?
Banks and their customers must take a holistic view of security, and adopt a fair distribution of the liability for the loss when a crime occurs.
If we accept the premise that the security of Internet banking services has to improve, we should remain aware of alternative strategies that can be used either instead of, or alongside, two-factor authentication. No security approach is foolproof, and for this reason alone the situation should be kept under review.
The main alternative is to focus on transactions. The most common motivation of banking criminals is theft. The situation on the Internet is different from that at the ATM machine where the criminal is trying to make a quick cash withdrawal from someone else's account. In the latter case authentication is crucial. On the Internet the criminal can only make electronic transfers from the account. Potential defences include requiring additional authorisation for large transfers, and placing a time delay on payments on newly set up payment routes.
© Ovum 2005
 |
Graham Titterington is a Principal Analyst at Ovum, specialising in business continuity, IT security, and information storage. With 30 years experience in the IT industry, Graham has contributed to a wide range of Ovum's research, including leading roles in producing reports on identity management, business continuity, storage management and many other information security issues. He can be contacted directly at graham.titterington@ovum.com.
Ovum
|
|
|
by Document Type
Meet some of the leading gurus in the marketplace that have joined the Experts Panel of CRM2day.
Are you a member of CRM2day and want to share your questions with our Experts Panel, regarding any current hot CRM issues?
