In many instances, a user ID and password serve as the safeguard between consumers’ money and online fraudsters. However, growing pressures from consumers and financial regulators over stolen identities and credentials are driving banks to examine new, more sophisticated authentication technologies for real-time fraud prevention.
Authentication is the process of examining, and then verifying, the proper identity of parties involved in the transaction of data or money. User names, passwords, and personal identification numbers have been standard for authentication and online account access for years. Usually, individuals choose a word or set of characters that are easy to remember and can be used for multiple accounts. This practice puts consumers at risk for easy detection and fraudulent use of poorly protected accounts.
Reliability of user names, passwords, and PINs is now obsolete. The static nature of single-factor authentication does not offer sufficient protection for customer accounts on today’s dynamic Internet.
Catering to a mobile society
The financial services industry has evolved to meet the growing demands of an increasingly mobile and time-deprived society. Traditional face-to-face transactions at local banks have been abandoned for customer drive-throughs, ATMs, and online banking. Unfortunately, more risks emerge along with the convenience these technologies bring.
According to a study by the Federal Trade Commission, 10 million Americans were identity theft victims in 2003. Of those, 6.6 million reported fraudulent use of existing accounts while more than three million reported new accounts opened in their names. These criminal activities cost consumers $5 billion and businesses $48 billion in financial losses.
In spite of such staggering statistics, the interest in and adoption of online banking continues to grow. A 2005 study by Javelin Strategy and Research indicated about 70 percent of customers bank online as much as or more than they did a year ago. And, for every customer who shied away from online accounts in the past year out of security concerns, three customers conducted more of their business online.
This evidence creates a good-news, bad-news scenario. As the use of online banking grows, online fraud will continue to evolve, with each new attack vector more insidious than the last.
Online fraud and identity theft can prove devastating to a financial institution’s reputation. It is crucial for companies to know and recognize their customers in the online world, just as though they’re conducting business offline.
Single passwords are passé
For online banking to successfully grow to its full potential, financial institutions need to find reliable methods to authenticate this communication channel, removing the anonymity barriers of the Internet. Multi-factor authentication puts the power to stop the negative effects of identity theft into any bank’s hands, providing institutions with a much-needed first line of defense to not only protect customers, but also preserve their corporate reputations.
The following are examples of evolving attack vectors that easily circumvent single-factor authentication:
Strength in multi-factor authentication
Multi-factor authentication in its simplest form occurs when users are asked to present another form of identification when making a financial transaction in person. Customers offer an account number (something the user knows) along with a driver’s license (something the user has) while the financial institution visually verifies the picture ID as the customer (something the user is).
Financial institutions need reliable authentication that links a multitude of identity elements together for real security. As banks abandon their sole reliance on single-factor authentication, the new challenge becomes making multi-factor authentication seamless for the financial services organization, yet transparent to the online customer.
Customer receptivity is key to the successful introduction of new authentication techniques. Although consumers say they are worried about security in the online world, they do not want the burden of additional steps, cumbersome tokens or long-winded instructions to protect their accounts. So, financial organizations not only need to deploy cost-effective solutions from their standpoint, but also select intuitive, customer-sensitive technology that is seamless to the end user.
Unfortunately, many current methods of multi-factor authentication are invasive and require extensive customer education, interaction and support.
Although financial institutions have been experimenting with different authentication technologies for several years, customers have found them intrusive while reliability and cost have deemed them prohibitive.
Multi-factor authentication technologies currently in the marketplace include:
In conducting their due diligence, financial institutions should evaluate multi-factor authentication solutions based on the following:
Making authentication mutual
There has been a heavy focus on authenticating customers to the financial institution. However, research has shown that most financial institutions do not authenticate their websites to the consumer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting consumers cannot tell they are being directed to a spoofed website or falling prey to a man-in-the-middle attack.
By employing mutual authentication, companies can move beyond unilateral strategies and implement a mission-critical solution that supports a more holistic approach to online fraud prevention. Mutual authentication allows financial institutions to authenticate not only the consumer to the bank, but also the bank to the consumer. It is critical that consumers be able to easily verify the authenticity of their banks’ websites to eliminate the fear that their online communications and transactions are being unlawfully monitored or intercepted.
Current solutions that use secure cookies and shared images are purported to handle these types of attacks. In actuality, while better than just a username and password, they provide very little protection and are vulnerable to being passed through — undetected — to the bank and back to the customer by the man in the middle. However, mutual authentication technology that compares the intelligence contained in IP addresses that the browser is using to access the bank’s website or spoofed site against a “trusted” server list offers the most foolproof solution on the market today.
Holistic approach for the future
Security has long been key to building confidence in the online channel. According to Jupiter Media, consumers do not view all banks equally with respect to online security, making the handling of these issues a key differentiator.
With that in mind, it is incumbent on banks to stay vigilant and proactive to keep ahead of the cyber thieves who continue to grow more sophisticated and opportunistic. Companies need to prevent rather than just detect online fraud, so strong multi-factor authentication coupled with mutual authentication is emerging as a viable strategy for comprehensive fraud prevention.
A more holistic approach to fighting online fraud and identity theft should be implemented — one with a multi-layered approach. Additional authentication checkpoints, beyond factors (out-of-band verification and e-mail notification), should be conducted using an extensible platform. In addition, financial institutions should complement strong authentication with more profiling of users’ activity and their online transactions.
Banks that offer strong authentication, along with end-user convenience and relatively low ongoing maintenance and operational costs, will provide the most solid foundation for the future.
Dennis Maicon is executive vice president of financial services solutions at Atlanta-based Digital Resolve, whose online authentication products include Fraud Analyst and E-Scam. For more information, visit www.digital-resolve.net.
© Copyright BankNews, March 2006