SMS-based two factor authentication has been touted as a way of improving online banking security but Westpac's head of information security disagrees.
The National Australia Bank, Commonwealth Bank and HSBC currently offer their customers SMS-based two factor authentication--where customers receive a one time password via mobile phones, which is used to verify a transaction. It seems Westpac is unlikely to go down the same path.
Rather than SMS-based authentication being about security, in its current form, it is more about consumer's perceived level of safety, said Westpac's head of information security, Matthew Woodrow, at a Financial Times event called Securing the Bank, which was held in Sydney last week.
"It's not to do with security at all...consumers have expectations of security levels while using their mobile phones to do their banking. So you're not thinking about security at all, but you're thinking about the product and what consumers want," said Woodrow.
Besides Westpac, St George, SunCorp and ANZ have also held back from adopting SMS-based verification systems for their customers.
One reason why some banks have resisted the adoption of token- or SMS-based authentication could be the emerging Europlay, Visa and Mastercard (EMV) standard, which is tied to the release of contactless smartcards, according Intelligent Business Research Services, security analyst, James Turner.
"Once EMV standards are accepted, Internet banking is going to move into that," said Turner.
While a token-based system is considered too expensive and complicated to be worth implementing for consumers, technology and standards flux should not prevent the adoption of SMS-based authentication as temporary security measure, said Turner.
"No system the banks roll out will be foolproof, but we can't sit on our hands and do nothing. [SMS authentication] is much more straightforward to deploy than physical tokens--and mobile phone penetration is massive. Also, the majority of people understand how to use SMS. From my perspective it's an elegant solution," said Turner.
A distinction should be made between SMS-based transaction authentication and that for logging in, said Turner. Transaction-based authentication only occurs when a transaction is made, so if someone has hacked into a person's account, that transaction will only proceed if a person responds to the SMS issued by the bank.
"If I'm out at a cafe and receive an SMS from my bank, and I know that I have not made that transaction, it doesn't go ahead. So even if the password has been compromised, they can't make the transaction."
Ray Stanton, BT's global head of business continuity, security and governance, said while two-factor authentication is "not for everyone", the issue is wrapped up in consumer confidence.
"If a bank wants to maintain credibility, then it has to do everything to maintain my confidence," Stanton told ZDNet Asia's sister site ZDNet Australia.
Play video
I work in the security field and this article did its best to confuse me. It begins with a headline discussing SMS authentication, and then discusses SMS transaction verification. They are different things, to be used in different circumstances.
It seems that the author is confused. Mr. Turner, interviewed in the article, even clarified this point - "A distinction should be made between SMS-based transaction authentication and that for logging in" - and the author still managed to get it mixed up.
But I can forgive that, authentication/transaction verification is a specialist area and probably best commented on by people with some understanding of the issues.
However, the telling point for me is that the quote from Mr. Woodrow actually says nothing about SMS authentication / transaction verification not helping security. He says that SMS authentication / transaction verification is able to increase a user's perceived level of safety. Which makes sense, as it makes users safer. One of the beautiful things about SMS authentication / transaction verification is that it is transparent enough for a user to see why it secures them.
So take the assertions in this article with a gain of salt. I suspect the entire article was written to support a sensationalist headline.
Posted by Dean Spaccavento on Wednesday, October 31 2007 06:29 AM