Overseas readers say authentication to their e-banks is more rigorous

* Reader views on the need for two-step authentication

A few weeks ago I wrote about how I wish my bank would implement better security for online banking and bill pay (see link below). This topic really struck a nerve, because I had quite a bit of reader feedback. What's most interesting to me is that the readers who described the best solutions to the problem are all outside the U.S. It seems that financial institutions in Europe and South Africa have figured out that decent online security is necessary, but it doesn't have to be expensive or complicated.

The feedback indicates that people believe U.S. banks or e-commerce sites haven't implemented two-step authentication (i.e., more than just a single password) because of the expense of providing the physical mechanism, such as a smart card or token, and of building the infrastructure to support the additional security. Here's what one security consultant has to say:

"Two-step authentication is in fact what should be used for all financial transactions.  ATMs, debit at the checkout, etc., already use this approach. In fact, the Visa rules now state that the bank's ATMs will need two individuals to load the ATM's encrypting key material or use a public key/private key loading method from the host.

"However, and here's the rub for the consumer, say the gentleman in Miami who lost $90K, the bank finds this amount an acceptable loss. Why? Consider that the bank has 5 or 10 million customers, and what is the cost of 5 to 10 million tokens?  Also consider the distribution costs and replacement of lost tokens.

"My company used to sell a token for banking. It used a challenge/response architecture and was very secure. Not a single bank bought it in the U.S. Ask RSA how many of their tokens they sell to banks for consumers to use for e-banking. I bet it is minimal." 

Some of the newsletter readers (and I) believe that the U.S. banking system won't adopt stricter security measures unless they are mandated through legislation, or if there are lawsuits that make doing nothing more expensive than doing something. Another reader wrote:

"You are exactly right about more secure online transactions. If banks would convert from standard ATM cards to a smart card, you would have exactly what you are describing... since there are USB smart card readers and middleware available today. As you know, having the smart card adds one more thing to the authentication ('something you physically have') as well as your user name and password.

"Banks have been using magnetic stripe ATM cards for more than 25 years, but they won't go through a change like this, which will be expensive, unless Congress pushes them or the public cries out for it."

I must thank the readers who wrote to tell me about the simple solutions their financial institutions have deployed. I don't see any unreasonable burden or cost in these solutions, and while they aren't hacker-proof, at least they do add another measure of security.

One reader in the Netherlands said many banks in Europe use one (or give you a choice) of three systems, for session passwords. These are:

* A secureID card (like the RSA device, which generates a random key).

* A Transaction Number, sent via SMS to your cell phone when you press the money-transfer button.

* A printed list of transaction numbers (a sheet full of random numbers), where at each set of transactions (a session) you take the next "unused" one.

A reader in South Africa believes that the online banking facilities in that country are far ahead of what's available in the U.S. He writes:

"Online banking has been available for over 15 years already. A lot of what you are speaking about has already happened and a lot of the issues have already been resolved to a certain extent. First National Bank (http://www.fnb.co.za) offers a token based authentication service and if you look at http://www.absa.co.za/absacoza/ [Absa Bank] and http://www.standardbank.co.za/ [Standard Bank] you will see that a lot of these security issues have been identified and are being addressed."

A correspondent in Germany described another low-tech solution that looks similar to the approach mentioned above by the Netherlands reader:

"My bank sent me a hard copy of a list of numbers called Transaction Authorization Number (TAN) by mail in a sealed envelope that is see-through protected. The TANs are 6-digits long and look very randomly selected to me. Whenever I would like to make a transaction online, I have to first logon to my account with userID and password and then as the second step before I can execute a transaction, I have to enter a TAN from the list (one for each transaction on the confirmation page before the transaction is executed). If I enter a TAN that is not on my list or was used previously I get a warning and after three wrong TAN entries in a row, my account gets locked. If I'm about to use the last TANs on my list (they can be used in any random order I like) the bank sends me a new list.

This simple system amends the classic userID and password to get higher security by combining it with the physical possession of a 'device' and the information contained therein, i.e. the list of TANs. A keystroke logger would get somebody into my account, but they could not move any money around without breaking into my home and stealing the list. The bank also offers a chip card that meets the German legal requirements to create legally binding electronic signatures if I wanted even more protection by a more sophisticated physical device (requires a chip card reader at the PC)."

As you can imagine, I had a few security vendors contact me about their solutions. One that I find quite interesting is a software-only approach by the French company NTX research. The company specializes in security for e-business and banking, using a unique two-factor authentication that is 100% software.  NTX research has patented what it calls X.COD technology, which uses confidential codes that aren't stored anywhere, making them hard to hack and easy to deploy. Even companies using the Web for e-commerce can use this technology to secure transactions by brand new customers, with little configuration required on the user's part.

So it seems there are numerous ways to improve the security of online banking or e-commerce without adding significant cost or complexity. Now let's get out there and deploy them!

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com

Learn more about this topic

Please could we have two-step authentication for e-commerce

Network World, 05/02/05

NTX research 

Energy firm earns net award

Network World, 05/16/05
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey: The results are in