The challenge of balancing security and positive client experience continues to plague efforts by North American banks to implement multifactor authentication solutions, according to a recent study.
Only 50 per cent of U.S. retail online banking, 40 per cent of small business online banking and 60 per cent of corporate online banking operations had MFA solutions deployed last year despite a 2005 deadline set by the U.S. Federal Financial Institutions Examination Council (FFIFEC).
However, these figures are expected to approach 90 to 95 per cent across the board by the end of 2007, according to a report by Celent LCC, a research and advisory firm based in Boston.
While not required to comply with the FFIFEC directive, the Canadian banking industry showed 44 per cent MFA implementation in 2006. It is expected to boost that number to 67 per cent by end of this year then to 100 per cent by the end of 2008.
Multifactor authentication refers to the use of two or more methods to verify the legitimacy of a person’s identity. In online banking this may involve requiring a customer to produce and key in a bank card number and an accompanying personal identification number (PIN) or password before being allowed access to his of her account.
The increasing incidence of online crime such as phishing, online fraud, identity theft and man-in-the middle attacks has spurred the drive towards enhanced security measures. A Celent analyst, however, said banks continue to wrestle with the dilemma of reducing risk and preserving client satisfaction.
“Organizations are struggling with finding a solution that will be secure but transparent enough so as not to interrupt or drastically alter customary client interface,” said Jacob Jegher, Montreal-based banking group senior analyst for Celent.
What’s being employed now is “a better than nothing interim solution,” suggests Eric Skinner, chief technology officer for Entrust Canada an Ottawa-based security software provider.
Entrust has several bank clients in the U.S. and was involved with Scotiabank’s MFA experiments in the 1990s as well as the Royal Bank of Canada’s program to encrypt e-mail transmissions.
Apart from PINs and passwords, Skinner said for most online banking operations, MFA options include:
- Hardware tokens – gadgets similar to key fobs which as the touch of a button provide user with a randomly chosen one-time-use PIN to be used to during sign on;
- Grid cards – plastic cards that contain a grid of numbers and letters. Upon sign on users will be prompted to key in a number or set of numbers found within a system specified coordinate in the card;
- Challenge questions – users are asked to answer a previously chosen question to which his or her answer has been pre-recorded;
- Image and phrases – used the same was as challenge questions but these are pictures and associated phrases that customers have previously chosen; and
- Behaviour detection software – software installed in bank servers that can detect and analyze transaction patterns for possible fraud. For instance, the system can temporarily stop transaction or alert a representative to contact a client if the software detects an unusually large number of multiple withdrawals form different automated bank teller (ATM) machines at the same day.
The idea is to use a “combination or layers” of these security methods.
Jegher said hardware tokens and grid cards are already widespread in Europe but banks in North America have been hesitant to employ them due to customer resistance to an added device to carry along. The gadgets are also prone to being lost, misplaced or stolen.
With a total estimated ownership cost of US$641,000 to US$2.4 million for 25,000 online users for the first year to cover production, distribution, vendor support and staff implementation, hardware tokens are also considered to be the most expensive option. The technology will cost about and US$397,000 to US$569,000 for each year after initial deployment, according to separate earlier survey.
The total cost of software solutions for 25,000 online users us estimated at US$ 358,000 to US$1.1 million for the first year and US$330,000 to US$1.1 million for each year after. They are considered less costly than hardware to implement but disproportionately costlier to support.
Challenge questions and passwords are considerably less expensive.
Image and phrase association is beginning to gain traction with most U.S. banks but is only marginally used in Canada, according to Jegher.
The system was initially used by ING Direct Canada in November last year, a similar model was adopted by BMO Bank of Montreal in July of 2007.
ING customers pick out a phrase or a picture they want from the banks database photos of various subjects such as animals, people, or nature shots, according to Brenda Rideout, CIO, for ING Canada.
When the customer logs in to do some online banking, the system prompts the user to identify the previously chosen image and phrase from a lineup to prove his or her identity. If the user is logging in from an unregistered machine, the system asks three challenge questions.
Rideout said the system is effective against man-in-the-middle attacks.
The methods above, he said, does not guarantee against man-in-the-attacks where hackers are able to lure users to a replica of an authentic site and proceed to steal whatever identification codes and information the user usually present to the bank.
“It’s simple. If you don’t see that image in your screen, then you’re not in our site,” Rideout said.
The CIBC, HSBC Canada, Royal Bank of Canada and TD Canada Trust all use varying flavours of the personal identification or challenge questions that are asked of customers when they log in from a computer that is not registered with the bank.
But these methods as well as the image and phrase combination might not be adequate to deter a man-in-the-middle attack according to Garret Grajeck, president of Multi-Factor Authentication Inc., California-based security technology provider.
Grajek said a digital certification system also known as virtual token system provides greater protection.
A system such as the company’s browser-based SecureAuth product which can be administered by a single Webmaster can provide secure ID certificates for both the user’s machine and the bank’s server.
Upon logging into the bank’s site, the tool instantly determines the identity of the user’s machine and at the same time provides the user with an authentication of the site.
Mike Gibson, vice-president of sales for Dynatrac Systems Canada Inc. in Vancouver said ATM bankers can also use biometric smartcards.
The plastic cards will not only contain PIN and information about the user but will come with biometric identifiers such as scanned images of a user’s iris or finger blood veins. He said the system is already in use in by some airlines on the flight crews.
The Celent study noted observed that much of the MFA implementation is concentrated on online banking which currently comprises the bulk of transactions handled by North American institutions.
However, Jegher said telephone banking and mobile banking is apparently receiving less attention, perhaps due to the low number of customers using these services.
He said only 30 per cent of U.S. banks are set to deploy additional security measures for telephone banking this year.
Voice recognition technology could be of help in this area. However, some banks are hesitant to deploy such solutions for fear that alienating customers in the event of some product shortcoming. “Imagine the backlash from customers who complain that the system cannot recognize their voice,” Jegher said.
Jegher said ABN AMRO bank was successful though in implementing biometric voice verification to its four million telephone banking customers in the Netherlands.
Celent also expects a shift towards mobile banking and aired the need for development of MAF solutions in this area. The company foresees 30 per cent of online banking households to engage in mobile banking by the end of 2010.
Celent believes banks need to pair short message service (SMS) with downloadable applications and possibly application protocol (WAP) solutions for an efficient and secure approach.
The report said SMS and text messaging have become very popular with younger mobile users while downloadable applications can allow mobile phones to act as a type of silent token.
Characteristics of the device can be passed back to a bank’s server to validate login.
All the experts interviewed agreed that MAF implementation cannot be a one shot deal. Organizations should continue to develop their defenses as fraudsters and hackers will persist in creating new strategies.