By Steven Deare, 7 December 2006 15:35
NEWS
Authentication tokens used for online transactions will not stop identity theft, banks have warned as they search for other measures to secure customer accounts.
Many banks already issue business customers password-generating tokens to access online accounts. However, the skill of modern identity thieves has some in the industry worried they will soon work out how to penetrate such two-factor authentication.
David Harley, senior manager, fraud prevention and control, Bendigo Bank, told a finance technology conference: "One of the biggest challenges is the continuing change in methods of attack.
"The crooks that we face have no limit on their R&D budget. If they want something they don't have to go through a business portal, they don't to go to an architecture and estimation committee, and they don't have to go in six month release cycles."
Bendigo first issued tokens two years ago to customers with accounts of more than AU$5,000.
This failed to stop identity thieves, however. Miscreants found other means to get around the improved measures.
Harley said: "What we found was there was then a lot of [phishing] focus on customers under AU$5,000.
"We recognise that whatever level we put the tokens in at, the crooks will go to the next level down, and they will try and do broader attacks."
Yet, Bendigo still recommends all customers purchase one of its tokens as it still offers the best protection on the market today.
Another bank using tokens for two-factor authentication is HSBC.
Liam Griffith, IT security manager at HSBC, said although the bank improved security with the tokens, it was looking for other measures too. "[We are] looking at different ways that we can protect the customer in the future," he said.
"For us, two factor has a limited time span... we're trying to be proactive."
His comments were backed by general manager of ecommerce for the Commonwealth Bank, Marcus Judge, who said tokens could not guarantee online security.
Judge said: "You can't ever absolutely be certain that people cannot steal your money from an internet banking account. You can put it under your bed or bury it in a cave but you can never be absolutely certain that somebody can't steal it.
"We don't see two-factor authentication as a one shot panacea by any means, we see it as part of the mix, an important part of the mix."
A usability issue surrounding the tokens often compounds the problem, according to Bendigo's Harley. "We've had a heap of people who've rung up and complained about the token because the token doesn't work," he said.
Some customers tried to generate passwords while the token was upside down, in which case "there's virtually no way known the token will work", he said.
Any new authentication measure had to account for different ways customers might use the technology, according to Harley.
Steven Deare writes for ZDNet Australia
Comments
There are 3 comments. Join the discussion
1. anonymous
Anythings better than nothing at all. Unless you are stupid enough to write your pin down then two factor authentication will stop id theft at the moment. Stories like this are pure scaremongering with very little substance (just because B Schnier says so means nothing more than him getting another year on the talk circuit), its a mix of technologies that provide the protection not just 2fa. 2fa will move to biometrics but the principal is the same. The vast majority of us plebs have no access to this form of authentication for banking anyway.
2. Mike W
Why not just send an SMS keyword to the user's registered mobile phone as part of the validation procedure. Avoids having hardware, but costs a couple of pence each time ... or it could last for the day.
3. Graham Coles
Very old news.
I read about the failure of two-factor auth for online services in Bruce Schneier's cryptogram back in March 2005.
After 20 months the banks are just realizing this as though it a shock revalation that nobody thought could occur.
Perhaps they should tackle these issues more seriously when they are raised rather than rolling them out and pretending they don't exist.
They were told, they didn't listen. I'm sure there's a lesson to be learnt there, but I'm less convinced of their ability to learn it.