Source: Finextra Research
The day when two-factor authentication is mandatory for online banking access is drawing near.
In the US, the Federal Deposit Insurance Corporation (FDIC) is currently formulating guidance that will encourage US banks to abandon single password-based ID systems in favour of two-factor authentication following a sharp rise in 'account hijacking' ID theft. And in Australia, the national banking association is drawing up an agreed set of standards that would require all banks to use two methods of identifying Internet customers.
The Australian Bankers Association (ABA) and the FDIC are merely the first industry bodies to acknowledge that the current password-based system of online authentication is comprehensively broken.
Even discounting the threat from organized crime rings, password overload long ago rendered the current system unworkable. How many of us have dormant online accounts because we can no longer remember the codes we were given at the first time of sign-up?
All banks need to face up to the problem and begin exploring costings and techniques for upgrading security to encompass two-factor authentication. Interim measures based around the use of virtual keyboards to protect from keyloggers, or ever-more convoluted online Q&A sessions, will prove ineffective long-term as customers eventually tire of jumping through hoops to get online.
Private polling research by the ABA indicates that consumers are not yet ready to use biometric devices for authentication purposes because of privacy concerns.
Alternatives include SMS messaging, token-based random number generators, or personal smart card reader systems.
Although superficially appealing from a cost perspective, mobile messaging systems are likely to prove burdensome to administer as the phones themselves are prone to theft, loss and high customer churn.
Token-based systems, such as those available from RSA, Vasco and ActivCard, are proven in the field, but are difficult to justify when typically deployed as stand-alone, bolt-on solutions.
In Finextra’s opinion, pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability offer the most promising long-term answer to online authentication problems - at least in European and Middle East markets. Not only do the readers leverage the considerable investment by the banking industry in chip card migration, but they can also be extended in scope to cover other forms of card not present fraud.
Recent statistic from Apacs show that the UK banking industry lost £12 million to online banking fraud in 2004. This sum was dwarfed by the £504.8 million losses attributable to card fraud. Of this, card-not-present fraud (CNP) was up 24% to £150.8m in 2004 and continues to be the biggest category of fraud.
With consumer trust in bank security crumbling, the industry would be advised to co-operate on the development of standards for online banking access. To encourage fast adoption, Finextra believes that banks should swallow the cost of token/reader development and deployment to customers.
The payback will be material, in encouraging more transactions and enquiries through low-cost automated channels, and in reinvigorating the trusted relationship between consumer and financial services provider.