As cybercrime threatens online banking security and technologists debate the efficacy of two-factor authentication solutions, business and technical questions remain.

In a Network World "Face-Off" last year, RSA Security's Joe Uniejewski argued for two-factor authentication (which regulatory authorities recommend), while Counterpane's Bruce Schneier pointed out that attackers would find ways around this and banks would be better off addressing transaction security. I believe stronger authentication will help, but the industry also must focus on user awareness, computer security, network hygiene and business questions around transaction security.

I recently attended a meeting of NACHA-The Electronic Payments Association, at which it became clear that regulators are fairly open-minded about evaluating how banks address risk and that a ferment of creative energy and innovation is going into this area. The technical discussion is all about what one considers an authentication factor.

Is Authentify's voice recording, collected on the phone at the time of a transaction for audit purposes, a factor? Is Bank of America's SiteKey from Passmark, which displays a picture chosen by the user to authenticate the site, a factor? How about RSA Security's fraud network acquired from Cyota? Or 41st Parameter's sophisticated real-time device identification? Or Strikeforce Technology's plethora of plug-in functions? Could eWise's innovative, human-only-readable watermark hold the key? The latter weaves a transaction description such as "Wire $5,000 to Shanghai" alongside an illustrated confirmation code for the user to enter (or not). Potentially, the answer to all of these questions is yes.

From a business perspective, banks are much less concerned about losses to fraud than they are about scaring away customers. To them, online banking represents a Mecca of huge cost savings and revenue opportunities. The technical solutions that win out for them will be those that offer unobtrusive but effective protection.

The question no one seems to be asking out loud is: Who owns the liability? Astute users remain uneasy about what happens if a fraudster cleans out their bank account in a world of strong authentication. Will the bank make good the user's losses out of concern for its reputation, or will it hold the user negligent? A bank that invests in one-time password tokens will argue the devices are effective and thus, only the user could take money out of the account.

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports