In Depth

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

By Sarah D. Scalet

Amir Orad, VP of marketing for RSA's consumer solutions business unit, says one new attack RSA has seen—although not yet in consumer banking—is best described as a transaction trojan. This piece of software waits on a computer until the user logs on to a certain website, and then runs a script in the background transferring funds. There's also growing concern over "man in the middle" attacks. In this type of ploy, the fraudster sits between the customer and the banking website. In one small but oft-discussed attack spotted last summer, for instance, phishers created a spoof of the log-on page for CitiBusiness clients, who use tokens to log on to the site. According to researchers at Secure Science Corp., when users entered the onetime password generated by the device, the phishing website relayed that information to the real CitiBusiness site, thus gaining account access.

Still, all these vulnerabilities are no reason to throw your hands up and cry "uncle." Giving up, says Schmidt, a former police officer, would be akin to "someone in the neighborhood watch saying, 'I never lock my doors because then someone would just kick the door in.' Everything we do to move away from user ID and password, every time we do that, we move further up the chain [toward preventing] something bad happening."

Beyond Authentication

Despite the FFIEC guidance about authentication, the emerging technologies that actually seem to hold the most promise for protecting the funds in consumer banking accounts aren't authentication systems at all. They're back-end systems that monitor for suspicious behavior.

Some of these tools are rule-based: If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log-on always be considered suspect. Others are based on a risk score: That log-on from Romania would add points to a risk score, and when the score reaches a certain threshold, the bank takes action.

Flagged transactions can get bumped to second-factor authentication—usually, a call on the telephone, something the user has. This has long been done manually in the credit card world. Just think about the last phone call you got from your credit card company's fraud department when you (or someone else) tried to make a large purchase with your credit card in Europe. Some banks, including Washington Mutual, are in the process of automating out-of-band phone calls for risky online transactions.

The question is whether this set of technologies actually puts banks in compliance with the new FFIEC regs. The guidance requires that strong authentication be in place before allowing access to any personal information. That's because if a fraudster is able to access someone's checking account—including all his payment history and images of endorsed checks—protecting that single session from fraud may be beside the point. The fraudster may have something else in mind, like forging checks.

• Email
• Print
• Comments
• Digg This
• SlashDot

• What Banks Tell Customers About Their Online Security
• FFIEC: Second Thoughts on Second Factors
• How to Write Good Passwords
• The Strong Authentication Battle