In Depth

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

By Sarah D. Scalet

November 01, 2006CSO — Like a lot of people, Washington Mutual's Dave Cullinane thought the time finally might be ripe for retail banking customers to start logging on by using tokens or other hardware-based authentication.

Regulators have given banks until the year's end to strengthen sign-on beyond user name and password—that woefully inadequate control that phishers have been bilking for years. If fraud losses weren't enough of a business driver, maybe the U.S. Federal Financial Institutions Examination Council (FFIEC) regs would be. And surely at least Washington Mutual's technically sophisticated home crowd in Seattle would be happy to dangle a dongle from their key chains.

But the idea went over about as well as decaf in the cockpit of a 6 a.m. flight to San Jose. More than 90 percent of the participants in several focus groups said they didn't want to use a token to access accounts online or by phone.

"The response we got was, 'Don't tell me I have to carry something to get access to my money. It's your job to protect my money, and if you don't do your job I'll find someone who will,'" says Cullinane, who is CISO of Washington Mutual, the nation's largest savings bank. "It was rather startling to get that from them."

From coast to coast, focus groups conducted by U.S. banks large and small must have said the same

thing. While tokens have long been used by commercial banking customers, an anticipated roll-out of hardware-based authentication to consumers has largely failed to materialize. Why? Customers say they don't want to bother; and customers, as legend has it, are always right.

Instead, to comply with new banking regulations and stem phishing losses, banks and the vendors who serve them are hurriedly putting together multipronged strategies that they say amount to "strong" authentication. The emerging approach generally consists of somehow recognizing a customer's computer, asking additional challenge questions for risky behavior and putting in place back-end fraud detection. But whether these layers of security combine to create something better—or worse—than traditional two-factor authentication is still anyone's guess

"I wouldn't discount anything because we're in that evolutionary stage when it comes to two-factor authentication," says Howard Schmidt, former White House adviser on cybersecurity and a longtime

proponent of tokens. "All these [emerging authentication methods] have the potential of raising the fence to keep out fraudsters. The proof will be once these things are fully vetted. That's what will separate the novel solutions from those that do a lot to enhance long-term security."

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Featured Sponsors
Sponsored Links

Secure your virtual and physical environments with the same software.

Simple, Economical Server Virtualization For Any Size Company

Global Companies' Best Practices for Security and Compliance

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Eliminate network threats and downtime with Juniper Networks. View demo

IT Service Management: Metrics That Matter

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

White Paper: Use DAM technology when there is a need for granular monitoring.

This whitepaper describes how you can test your Web applications with virtualization

Read The Evolution of Application Security in Online Banking White Paper

A Guide to Providing Proactive Protection to Consumer Online Transactions

Can Google help you save time and money in your fight against spam?

An Executive Guide to Understanding Hosted Messaging Systems

ITCi White Paper: Challenges and Opportunities of PCI

The PCI Data Security Standard

Hardware-based security. That's IT as it should be.

Configuration Audit and Control for Virtualized Environments

Webcast: Best practices in application security: How do you stack up?

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.

This white paper presents document security strategies and best practices

Compliance: Moving From Mandate to Differentiator White Paper