Need for stronger authentication
a surge in online threats such as phishing, banks need stronger authentication,
says Naftali Bennett.
Fraudsters have already targeted large banks such as The Reserve Bank (audaciously
using a fake e-mail sent out over the name of a senior NSW Fraud Squad officer),
Westpac, National Australia Bank and the Commonwealth Bank. Even regional banks
are not immuneSuncorp-Metway was targeted with a phishing scam in February.
These threats pose a significant challenge for financial institutions offering
Internet banking services. Banks clearly must continue to provide online services
to their account-holders, while at the same time protect their funds and identities.
However, these same institutions must also make sound business decisions that
balance factors such as cost, ease of deployment, potential impact on the user
experience, and the need to comply with changing regulations and guidelines.
And they also need to combat threats that originate outside of the firewall,
as well as unauthorised access to information inside it.
It is clear that financial institutions online services must be better
protected, but the question is: How?
Beyond one-size-fits all
Up until recently, the term strong authentication would immediately
conjure up visions of consumers walking around with one or more tokens on their
key chains. While tokens and the one-time passwords they generate will still
provide robust authentication, todays security challenges require the
industry to match the level of authentication to the level of riskregardless
of the specific authentication technology deployed.
Hardware-based authentication solutions are still current and viable, but they
are not the one-size-fits-all solution that banks require. In fact,
in todays complex environment one-size-fits all just wont
A point solution can be both too strong and too weak at the same timetoo
strong for the typical consumer and too weak for fraudsters. Instead, banks
need to deploy a continuum of solutions that include anti-phishing and -pharming,
mutual authentication, transactional authentication and signing, one-time passwords
delivered via hard or soft tokens, risk management and transaction monitoring.
RSA Securitys annual Consumer Online Fraud Survey in the US this year
revealed that 73 percent of bank account-holders believe that financial institutions
should replace username and password login with stronger authentication. Also
89 percent of account-holders said they would like their banks to monitor online
banking sessions for signs of irregular activity or behaviour.
Ideally, banks should monitor every online transactionnot just log-in,
but throughout the entire online banking session. This is similar to what the
credit card industry has been doing for two decades. Furthermore, these technologies
must be nearly invisible to the banks customers to avoid impacting the
A key component of any holistic suite of authentication and anti-fraud solutions
should be fraud intelligence. A cross-bank database of known fraud activity
should aim at detecting and preventing fraud before customers are affected.
Self-learning analytics coupled with real-time risk-scoring can provide the
flexible, adaptive security required to combat threats.
For example, a recently identified phishing technique known as a Smart Redirection
Attack is designed to ensure potential phishing victims always link to a live
A Smart Redirection Attack is particularly hard to combat because the fraudster
creates a number of similar phishing Web sites based at different locations.
All of the e-mail messages received by consumers contain links to Web sites
that direct the victim to an IP address that hosts the smart redirector.
When the potential victim clicks on the link, the redirector checks
all related phishing Web sites, identifies which sites are still live, and invisibly
redirects the user to one of them.
Fast-moving, adaptable threats require equally agile, multi-faceted security
responses. There are different technologies that provide multi-factor authentication,
and banks must seriously consider the implications of each in terms of cost,
ease of deployment and potential impact on usability.
More importantly, banks must consider how and when to implement stronger authentication
within their online applications. This does not just mean tokens but layered,
The author is Senior Vice-president and Founder of the
Consumer Solutions Division of RSA Security