Need for stronger authentication

With a surge in online threats such as phishing, banks need stronger authentication, says Naftali Bennett.

Fraudsters have already targeted large banks such as The Reserve Bank (audaciously using a fake e-mail sent out over the name of a senior NSW Fraud Squad officer), Westpac, National Australia Bank and the Commonwealth Bank. Even regional banks are not immune—Suncorp-Metway was targeted with a phishing scam in February.

These threats pose a significant challenge for financial institutions offering Internet banking services. Banks clearly must continue to provide online services to their account-holders, while at the same time protect their funds and identities.

Practical decisions

However, these same institutions must also make sound business decisions that balance factors such as cost, ease of deployment, potential impact on the user experience, and the need to comply with changing regulations and guidelines. And they also need to combat threats that originate outside of the firewall, as well as unauthorised access to information inside it.

It is clear that financial institutions’ online services must be better protected, but the question is: How?

Beyond ‘one-size-fits all’

Up until recently, the term ‘strong authentication’ would immediately conjure up visions of consumers walking around with one or more tokens on their key chains. While tokens and the one-time passwords they generate will still provide robust authentication, today’s security challenges require the industry to match the level of authentication to the level of risk—regardless of the specific authentication technology deployed.

Hardware-based authentication solutions are still current and viable, but they are not the ‘one-size-fits-all’ solution that banks require. In fact, in today’s complex environment ‘one-size-fits all’ just won’t work.

A point solution can be both too strong and too weak at the same time—too strong for the typical consumer and too weak for fraudsters. Instead, banks need to deploy a continuum of solutions that include anti-phishing and -pharming, mutual authentication, transactional authentication and signing, one-time passwords delivered via hard or soft tokens, risk management and transaction monitoring.

RSA Security’s annual Consumer Online Fraud Survey in the US this year revealed that 73 percent of bank account-holders believe that financial institutions should replace username and password login with stronger authentication. Also 89 percent of account-holders said they would like their banks to monitor online banking sessions for signs of irregular activity or behaviour.

Monitor Transactions

Ideally, banks should monitor every online transaction—not just log-in, but throughout the entire online banking session. This is similar to what the credit card industry has been doing for two decades. Furthermore, these technologies must be nearly invisible to the bank’s customers to avoid impacting the user experience.

A key component of any holistic suite of authentication and anti-fraud solutions should be fraud intelligence. A cross-bank database of known fraud activity should aim at detecting and preventing fraud before customers are affected. Self-learning analytics coupled with real-time risk-scoring can provide the flexible, adaptive security required to combat threats.

For example, a recently identified phishing technique known as a Smart Redirection Attack is designed to ensure potential phishing victims always link to a live Web site.

A Smart Redirection Attack is particularly hard to combat because the fraudster creates a number of similar phishing Web sites based at different locations. All of the e-mail messages received by consumers contain links to Web sites that direct the victim to an IP address that hosts the ‘smart redirector.’ When the potential victim clicks on the link, the ‘redirector’ checks all related phishing Web sites, identifies which sites are still live, and invisibly redirects the user to one of them.

Multi-faceted responses

Fast-moving, adaptable threats require equally agile, multi-faceted security responses. There are different technologies that provide multi-factor authentication, and banks must seriously consider the implications of each in terms of cost, ease of deployment and potential impact on usability.

More importantly, banks must consider how and when to implement stronger authentication within their online applications. This does not just mean tokens but layered, adaptive authentication.

The author is Senior Vice-president and Founder of the Consumer Solutions Division of RSA Security