In Depth

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

By Sarah D. Scalet

Page 5

Amir Orad, VP of marketing for RSA's consumer solutions business unit, says one new attack RSA has seen—although not yet in consumer banking—is best described as a transaction trojan. This piece of software waits on a computer until the user logs on to a certain website, and then runs a script in the background transferring funds. There's also growing concern over "man in the middle" attacks. In this type of ploy, the fraudster sits between the customer and the banking website. In one small but oft-discussed attack spotted last summer, for instance, phishers created a spoof of the log-on page for CitiBusiness clients, who use tokens to log on to the site. According to researchers at Secure Science Corp., when users entered the onetime password generated by the device, the phishing website relayed that information to the real CitiBusiness site, thus gaining account access.

Still, all these vulnerabilities are no reason to throw your hands up and cry "uncle." Giving up, says Schmidt, a former police officer, would be akin to "someone in the neighborhood watch saying, 'I never lock my doors because then someone would just kick the door in.' Everything we do to move away from user ID and password, every time we do that, we move further up the chain [toward preventing] something bad happening."

Beyond Authentication

Despite the FFIEC guidance about authentication, the emerging technologies that actually seem to hold the most promise for protecting the funds in consumer banking accounts aren't authentication systems at all. They're back-end systems that monitor for suspicious behavior.

Some of these tools are rule-based: If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log-on always be considered suspect. Others are based on a risk score: That log-on from Romania would add points to a risk score, and when the score reaches a certain threshold, the bank takes action.

Flagged transactions can get bumped to second-factor authentication—usually, a call on the telephone, something the user has. This has long been done manually in the credit card world. Just think about the last phone call you got from your credit card company's fraud department when you (or someone else) tried to make a large purchase with your credit card in Europe. Some banks, including Washington Mutual, are in the process of automating out-of-band phone calls for risky online transactions.

The question is whether this set of technologies actually puts banks in compliance with the new FFIEC regs. The guidance requires that strong authentication be in place before allowing access to any personal information. That's because if a fraudster is able to access someone's checking account—including all his payment history and images of endorsed checks—protecting that single session from fraud may be beside the point. The fraudster may have something else in mind, like forging checks.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Solving Online Credit Fraud Using Device Reputation

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously