As a followup to my post last week on strong authentication, I sent an email to each of the Big 5 Canadian banks. I was curious as to what options there were for obtaining some type of multi-factor authentication solution.
My question was: “I’m considering opening an account with your bank, and I would like to use features such as bill payment and funds transfers using web banking. However, a password protected web banking site does not provide the same protection as strong (2-factor) authentication. Is your bank looking at strong authentication options as a potential future enhancement to web banking?”
(The responses have been anonymized, but are otherwise verbatim.)
Bank 1 Response:
In regards to strong two factor authentication, we use three factors: the 13-digit Access Card number, the 5 to 8 alphanumeric password and the question and answer challenges previously registered with our site.
Please be assured that our web banking is a fully secure site, and your account information is protected by a number of different security protocols.
Bank 1 also provided links to FAQs, their reimbursement guarantee and descriptions of site security features (e.g. encryption, monitoring, etc.) Note their use of the phrase ‘fully secure’.
Bank 2 Response
We are currently in the process of introducing a new service as an added enhancement to our online security. This is a variation on two factor authentication, which in combination with our online guarantee, provides protection that exceeds industry standard.
The new service prompts for five secret questions and answers. It then needs to know if you are on a computer that you regularly use. If you say ‘yes’, it grabs a ‘unique identifier’ for that computer. You can specify more than one PC. If you login from somewhere other than your identified computers, it prompts you for the answer to one of your previously supplied questions.
Bank 2 also provided a link to other security measures and to their qualified guarantee.
Bank 3 Response
… furthering our commitment to protect your accounts from unauthorized access and fraud, an enhanced login to web banking has been introduced. These enhancements include multi factor authentication questions that add an additional level of protection, ensuring that your accounts cannot be accessed by an unauthorized third party.
All customers are now required to enrol in the enhanced login.
As with the others, Bank 3 provides a guarantee and links to other security measures.
Well, it is clear that the representatives from these three banks do not understand strong authentication.
In each case, they have indicated that adding a second ‘something you know’ to the authentication process is a meaningful improvement. While this is better than a password alone, it does not address the issue of losing control of one’s bank account with the escape of shared secrets. Only by selecting two different factors (e.g. something you know — a password — and something you possess — perhaps a fob) can the authentication strength be significantly increased. This is standard knowledge in our industry…
Two of the three did indicate that monitoring was part of their security solutions. Intrusion dection systems certainly can detect fraud when transactions occur outside the user’s normal spending patterns. While on vacation a few years ago, I found that my credit card didn’t work — the company had blocked it when I started using it in a different country. This was outside my normal pattern of use. I assume that banks have similar setups with web banking transactions, but I’m a bit skeptical as to how well they would work.
For example, would monitoring prevent an external account being setup to transfer funds? That is something I have done in the past, and I do regularly move money between accounts using web banking. How would a monitoring solution know it was me vs someone who just knew my password and/or secrets?
But the most bothersome thing for me is the ‘guarantee’. While there are a number of qualifiers to these guarantees, it is clear that the bank is going to refund your money if you are phished/hacked. But… where does that money come from? Well, directly from the bank’s customers in the form of increased borrowing costs, credit card fees and account service fees…
Implementing stronger security, such as that offered by strong, multi-factor authentication, is likely a more cost effective and efficient way of dealing with the issue of unauthorized online bank account access. And isn’t this what all banks require for their physical-world bank machines today — that is, don’t we have to provide a PIN (something we know) along with a bank card (something we possess) in order to access our money? A strange contradiction, one that is worth questioning as we move more and more of our personal business onto the Internet…