By Joseph Salesky, CEO, ClairMailLate last year, the Federal Financial Institutions Examination Council (FFIEC), an interagency governmental body empoweredto prescribe standards for the federal examination of financial institutions, announced stricter rules for verifying customers'identities during online banking transactions. The new guidelines, outlined in the document "Authentication in an InternetBanking Environment," mandated that by Jan. 1, 2007, U.S. banks must have a plan to implement two or more factorsof identity authentication in Internet banking and all forms of electronic banking activities.Yet, according to recent research from Gartner, only two-thirds of banks hit the deadline, and many that did comply are stilllooking for ways to fine-tune their solutions. The overall objective of the regulations is straightforward: to keep customer transactions secure and to restore consumerconfidence in the online banking channel. As many banks scrambled to meet the compliance guidelines in time and others missedthe deadline completely, today very few have determined and implemented optimum solutions that comprehensively address security,implementation cost and customer convenience issues. Two-Factor Authentication: What Does It Really Mean?Simply defined, two-factor authentication requires two independent factors to establish identityand privileges. A factor can be something you have (an ATM card, a token or a smart card), something you know (a password, asecurity question or a PIN), or something to verify who you are (identified through a fingerprint or a handwriting sample).Every time customers use their ATM cards to withdraw cash, they are using a form of two-factor authentication.Smart Cards and Tokens: Quick Fixes Come With a PriceSome organizations considered smart cards (microprocessor cards of credit card dimensions capable of providing securityservices when used in conjunction with a reader attached to a customer's computer) or traditional authentication tokens (smallhardware devices that allow users to authenticate themselves to the server using one-time passwords, or OTPs) as potentialsolutions for the two-factor requirement. While these alternatives meet the requirements set forth by the FFIEC, they alsohave severe drawbacks. They are all costly both to implement and maintain. For example, the average token costs approximately$41, not including back-end software and server expenses. Factoring in the costs for issuance, replacement and support, thetotal price tag for token implementations can typically range from $110 to $150 per seat per year for a period of five years.Moreover, these solutions are often extremely cumbersome for customers, who are required to carry additional cards or tokens.Another serious security issue is that tokens, smart cards and other traditional authentication methods are vulnerable to"man-in-the-middle" attacks, in which phishers hijack online sessions by getting between the customer and the bankby transparently passing through OTPs and other validation information and then retaining the session after the customer haslogged out. Additionally, even when tokens or cards are combined with other measures to reduce the potential for fraudulentonline use of customer accounts, they still do nothing to address credit card or check fraud. In essence, they add locks tothe doors but don't prevent crooks from entering through the window.Ounce of Prevention Versus a Pound of CureThe bigger issue is that traditional authentication methods are focused on preventing unauthorized access to an onlinebanking application, rather than eliminating fraud.Security expert Bruce Schneier has long argued that "identity theft solutions focus much too much on authenticatingthe person. Whether it's two-factor authentication, ID cards, biometrics or whatever, there's a widespread myth thatauthenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulenttransactions, you quickly realize that authenticating the person isn't the way to proceed."So what's a bank to do? It's a fine line, as the solution to preventing fraud must not be so inconvenient as to drivecustomers away from online or offline banking, nor be so expensive as to make it impractical.Enter the Cell Phone: Is the Solution Just a Text Message Away? With more than 233 million mobile U.S. subscribers\u2014an astounding 78 percent penetration rate\u2014mobile phonesare more pervasive than the Internet and readily available at any time. Moreover, according to CTIA, a wireless industryassociation, Americans sent 64.8 billion text messages in the first half of 2006, nearly double the number sent in thesame period in 2005.Mobile phones are not only ideal for authenticating online banking sessions\u2014thereby solving the two-factorauthentication quandary faced by financial institutions\u2014but they can also validate all other at-risk transactions.How? By using the mobile phone's text-messaging functionality that customers are already familiar with and frequently using.For instance, mobile phones can be used for online banking session verification. A customer logs on as usual with heruser name and password (the first factor); at log-on, a time-expiring, one-time password is automatically sent to thecustomer's mobile phone (the second factor), and the customer enters the OTP while online to validate the session. Thisapproach is far more cost-effective than investing in tokens or smart cards, and when combined with other online securityapproaches, it can preserve convenience while providing enhanced session security.Furthermore, mobile phones' out-of-band confirmation and multiple factors of authentication\u2014even down to theindividual transaction level\u2014make this solution impenetrable to man-in-the-middle attacks. Mobile phones can enableonline and offline transactions to be completed with the highest level of security, making them a critical component ofany fraud-elimination strategy.For example, the creation of a new bill-pay payee or an unusual transfer, payment, credit card or check transactionwould cause an "actionable" alert to be sent to the customer's mobile phone. The customer would then send atext reply to approve or deny the transaction, or to request additional information. This allows customers to activelyparticipate with decisioning systems to frictionlessly validate transactions, dispute illegitimate transactions, denysubsequent transactions and hold selected transactions until receipt of the customer's approval.Today, banks are forced to call the customer or stop a credit card when transactions are in question. By utilizingthe mobile phone, the cost and inconvenience of this customer interaction is dramatically reduced. The mobile phone can also be utilized to provide bank customers with secure, on-demand mobile access to accountinformation, facilitate a variety of transactions and deliver no-hold access to customer service. These featuresgreatly benefit customers and facilitate fraud prevention by enabling customers to easily review their transactionsand actively participate in the fraud-prevention process whenever necessary.According to research firm IDC, "the mobile phone\u2014as the identifier and authenticator\u2014is a channelthat customers can trust is delivering personal information in a private and secure manner and one that could be astrong case for fob replacements. [It] has greater promise for delivering the necessary functionality combined withease of use and is a better and more cost-effective solution than tokens or other authentication devices."Financial institutions seeking a long-term, cost-effective solution that provides strong authentication and transactionverification without compromising the convenience of online banking should pick up the phone. The answer to the cost,convenience and security trifecta might be just a text message away.