US sets standard for internet banking security

Pro

19 December 2005

A recent directive from the US Federal Financial Institutions Examination Council will require US banks to strengthen security for internet customers through authentication that goes beyond mere user names and passwords, to be in place by the end of 2006. This has meant that most banks will adopt some form of two factor authentication for all internet customers.

Designed specifically to combat phishing and other types of attack, the new authentication systems have parallels already in use in industry such as RSA keys. With the EU likely to follow the US lead, there are many implications for Irish banks.

Both of the major domestic banks have suffered phishing attacks and both have issued warnings in response. However, there is little information available on the success of these attacks, with one claiming to have had no confirmed victims. 

AIB will be introducing, as of early December, a two factor system called Smart Card for certain of its services, but it will not be mandatory for all customers. The in-house system employs a card that is used in conjunction with the normal authentication methods. “The ‘Code Card’ is unique to every user; it contains a list of 100 individual codes and each code will only ever be used once,” according to AIB.

A Bank of Ireland spokesperson said that it will shortly be delivering enhanced functionality in its online channel. This improved functionality will also increase security.

Elsewhere, the issue of two factor authentication for internet banking has progressed further. Fraser Thomas, CEO, Swivel Secure, has had much experience in the area.  Offering an innovative two factor authentication system that uses either the end-user’s mobile phone or an online secure interface, Swivel Secure has been at the forefront of the drive to increase authentication security.

“There is a reluctance to embrace this technology in the West. However, in countries in the Far East, we have had a lot of success in installing proof of concepts in banks in Malaysia, Singapore, Thailand and China.” Indicating that these countries are often more authoritarian in their directives to banks, Thomas predicts Europe is ready to follow, “In Europe the market readiness is there.” However, the UK and Ireland may lag behind, “My feeling is that, financial services organisations in the UK and Ireland seemed relatively happy to suffer the consequences of identity theft and internet-based crime and push it under the carpet rather than do something about stronger authentication. It is view shared by many people in the industry”, said Thomas.

The impact for Irish banks, should they be compelled by legislation to provide increased security for authentication, may not be great. “It is a very small percentage [cost] compared to instituting internet banking. It was a seismic shift bringing that in. It was a major architectural change in the way banks did business. They would have already set up username and password management structures. Then they have to purchase authentication servers and put them alongside it. So it is not that huge a deal”, said Thomas.

While the implementation of the technology to support increased security authentication may not pose too many headaches, the main problem might be around education of end users. While in enterprise, a training programme can be easily instituted, for the public, it can be more difficult to reach individuals.

Read More:


Back to Top ↑

TechCentral.ie