Traditional authentication mechanisms for online banking have been password and/or a one time password from a dedicated token. Variants or a combination of these two authentication types have been deployed by most banks across the globe. Increasingly these traditional customer authentication methods are being challenged and defeated.
Financial institutions are especially vulnerable to IT threats due to the nature of IT deployments covering every facet of business operations. Especially so is the case with Commercial Online Banking Applications primarily due to the risk and lack of control emanating from the client or Customer side. Traditional authentication mechanisms for online banking have been password and/or a one time password from a dedicated token. Variants or a combination of these two authentication types have been deployed by most banks across the globe. Increasingly these traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats (against traditional authentication mechanisms) include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect commercial online banking customers. Hence Online Banking needs to respond to these threats and deploy new authentication mechanisms.
Two additional authentication mechanisms that can be deployed by banks to manage risks from traditional authentication mechanisms are adaptive authentication and out-of-band authentication.
Adaptive Authentication
Adaptive Authentication is powered by risk-based authentication technology that conducts a risk assessment of all users behind the scenes. A unique risk score is assigned to each activity, and users are only challenged when an activity is identified as high-risk and/or an organizational policy is violated. This transparent authentication enables organizations to increase security without compromising user convenience.
Adaptive Authentication monitors and authenticates activities based on risk, profiles, and policies by correlating:
Device identification profiles
Behavioral patterning profiles
User profiles
Service provider threat feeds
Fraud intelligence
Out-of-Band Authentication
Out-of-Band authentication is the use of two separate networks working simultaneously to authenticate a user. Out-of-Band authentication works well because even if a fraudulent user gains all security credentials to a user’s account, a transaction cannot complete without access to the second authentication network. A popular device in out-of-band authentication is a phone. When an attempt is made to perform a transaction, a call is sent to the phone number of the customer and only if the call is answered the authentication is complete. The automated call consists of voice prompts directing the customer to speak a confirmation number displayed in the Web browser. Since completing the transaction depends on the user’s ability to answer the phone number the customer has given the bank and to successfully speak the confirmation number displayed in the browser, a person attempting to make a transfer without access to the out-of-band network (the account holder’s phone) is denied.
There are also efforts by some banks to ensure that clients (customer PC’s) have a certain level of security and hardening before they are allowed to be accessed on the network. This will ensure that Trojans and other malware in client PC do not exist and the customer interaction is handled securely. But this proving to be a non starter as it is very difficult for banks to control the customer environment.