By Dan Ilett, 7 November 2005 15:45
NEWS
Bank of America is to provide two-factor authentication technology to 14.5 million customers in a bid to cut identity theft.
The online software, made by PassMark Security, is currently an optional service to customers in 20 states but will become compulsory in the future, the bank said.
To use the service, which is to be rolled out in all states in the country next year, customers must pick an image, write a phrase and select three challenge questions.
Earlier this year Lloyds TSB began a pilot of two-factor authentication tokens with 30,000 online banking customers.
Customers are currently logging onto the bank's website with their username, password and a one-time six digit code generated by the token.
The move was part of a wider strategy outlined by the Association of Payment and Clearing Systems (Apacs) which said that banks should start to offer two-factor authentication, the standard for which has not yet been announced.
A spokeswoman for Apacs told silicon.com: "They will be done by the end of the year. This is not about the standard now but the customer usability research to make sure they can use it."
Comments
There are 4 comments. Join the discussion
1. Graham Coles
And this will stop fraud how?
Let me see. Customer previously logged onto bank using username and password.
Or perhaps they send the infomation to a website looking like the bank which simply uses it to log into the real bank site and has access to the online account.
Now its all going to change.
The customer can now give a username, password and a generated 6-digit nonce which is far more secure because now the fake website has to pass on an extra 6-digit value and this is, well, not really any more difficult than just forwarding the username and password.
Either there is more to this than has been reported, or this is the most useless bit of security I've seen yet. The biggest threat for online banking must surely be man in the middle websites and this does not address it.
Surely the proper way of handling this is with a smartcard attached to a pinpad on the computer that for user authentication and transaction encryption.
Using a pinpad instead of a card reader would also allow secure, manual pin entry that cannot be compromised by spyware or keyboard scanners and must be entered by the customer.
The smart card itself should cost practically nothing, as everyone should have been issued one already as part of chip and pin. This could presumably be loaded with a second application for online banking.
2. Al Kolkin
I use this function on B of A. It seems useless to me. I log in and when I press enter, another screen comes up that forces me to fill in a password again. The second screen contains a picture and a phrase and I am told
"If you recognize your SiteKey, you'll know for sure that you
are at the valid Bank of America site. Confirming your SiteKey is
also how you'll know that it's safe to enter your Passcode and click the Sign In button.
So, the idea is to determine if the site has been hijacked, not if I am the real user. Very strange indeed.
3. George Capehart
<rant>
The BofA authentication protocol is /*NOT*/ two-factor. Two-factor authentication involves "something you have" and "something you know." Like an ATM card and a PIN. Or a digital certificate and a passcode, or a login ID and an OTP pad or a SecurID device. It is /*single*/ factor, somthing you know (login ID), something you know (password/PIN) and something you know, recognizing your "image" or the answer to your challenge questions. It is a PITA to use because it relies on persistent cookies in order to recognize the computer that is logging in.
It is one of the most naive and unwieldy authentication schemes I've ever seen. It uses persistent cookies in order to recognize the sending browser so that it can figure out what image to send. If one flushes the cookie cache like I do, one has to go through the challenge-response sequence every time one logs on.
This protocol does /*NOT*/ protect against shoulder surfing like a real dual-factor authentication protocol does. It does /*NOT*/ protect against replay attacks . . . it's an insult to one's intelligence.
</rant>
Disclaimer: I am a BofA customer and am seriously thinking of changing my bank. It was bad enough when SQL Slammer took out their ATM network (who in their right mind would have an ATM network on the same network as the rest of the enterprise . . . and who would not firewall off all desktop PCs from the backbone?) This is worse than naive . . . it borders on incompetence.
4. Bret
George,
I would spend more time using the BofA system before writing about it. I have had SiteKey for months now and I have yet to have to answer any of the challenge questions and I have my browser configured to delete all cookies when I shut down the browser. Perhaps it is just a problem with your system.
On two factor systems.
All a hardware token fobs like is, is a fancy password. In your definition it is not two way as well. tokens have been susceptible to man in the middle and replay attack for years. One time passwords (that's OTP by the way) are also repayable and the code can be cracked.
Having had tokens for my Etrade account; I can tell you that they are not convent and they break with annoying frequency (I went through 2 in a week). Trust me being asked a question you know the answer to is a small pain compared to losing your key fob and missing out on a good trade.
Nothing is going to be perfect, but it is far better then most solutions out there.