Home » Identity & Access » Access Control

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

"The whole cookie technology has come a long way," says Stephen Northcutt, director of training and certification at the SANS Institute, which is known for its security research and certification programs. "It's an electronic hash, a numerical value that's something about your bank account. If no one else has access to that, it's fine. But here's what we could do to attack it: If it's a cookie, it can't be very well protected. The next thing you know you'll have some worm that goes through and collects cookies and e-mails them to an account in China."

In addition, security experts are increasingly concerned that the fraud community will migrate from the use of covert keystroke-loggers to screen-capturing technology—also called "screen scraping." This would allow them to routinely collect, in addition to keystrokes, the pictures that supposedly allow a banking customer to confirm he is at the right website. Then they could use those pictures to create customized phishing websites that more online banking customers will fall for—thus nulling the mutual authentication aspect that the cookie provides.

Likewise, the effectiveness of challenge questions can vary. Ask too obscure a question, and customers are likely to forget the answer they provided; ask too common a question, and phishers will simply log it along with user names and passwords. "It's become the latest hacking game to see who can get those questions," says Avivah Litan, vice president and research director at research firm Gartner.

Cullinane says that Washington Mutual tapped into the expertise of one employee with a psychology degree to help determine a sizable set of effective questions that people were likely to remember. Other banks are taking another route entirely. Wells Fargo, for instance, asks challenge questions based on information from a person's credit report or credit history—whether she has a credit line with a certain company, say, or whether she lived at another address four years ago. Another approach: The identity verification vendor Verid creates a set of multiple-choice questions drawn from public records, assigning a risk score based on how many answers the customer gets right.

If any of this isn't done carefully, of course, the system pushes out a lot more personal details than customers may feel comfortable with. Furthermore, the problem with any type of challenge question is that the answer is still something the user knows, which means the authentication is still single-factor.

Proponents of these layered solutions, however, are quick to point out that two-factor authentication isn't a perfect solution either. In the months since the FFIEC guidance was issued, tokens have lost some of their swagger. Even RSA offers examples of how tokens can be exploited.