Securing beyond two-factor authentication

By Victoria Ho, ZDNet Asia
Wednesday, January 09, 2008 05:40 PM

SINGAPORE--One of the biggest challenges in Internet banking is finding the balance between security and convenience, said an Oracle executive.

Hosting a media roundtable here Wednesday, Roman Tuma, Oracle's regional director for security and identity management solutions, noted that consumers do recognize two-factor authentication--through a hardware token--is a necessary security layer. However, most find it troublesome and are shunning online banking because of the added inconvenience, he said.

Detailing figures from an IDC Financial Insights survey published in October 2007, Tuma said 82 percent of consumers surveyed understood the purpose of bank-issued tokens. However, 74.3 percent said the token was "troublesome" and as a result, some 38 percent said they used online banking less often.

Beyond issues about the added inconvenience, Tuma noted that two-factor technology does not provide a sufficient security level.

"With Internet banking, once you pass the login page, the site trusts you. But the world is looking for something more," he said.

Tuma explained that monitoring a customer's transaction behavior after he has logged in, is the next level of security that banks need to implement.

User activity is measured against factors such as the customer's location, the type of device used, and unusual activity. The information is then logged and sent to network administrators if alarm bells need to be triggered.

Other forms of authentication banks should deploy include adding extra layers of security on top of existing login pages. These could complement methods such as preventing mouseclick logging by randomizing the placement of the login box, Tuma said.

In Singapore, two-factor authentication use has been mandated by the Monetary Authority of Singapore (MAS) since December 2006.


WORTHWHILE?

0

0 votes
Blog

Talkback 1 comments

Full disclosure-Klint Borozan is a SVP for Positive Networks

The article discussing two factor authentication is entirely accurate in its perception of risk and process when tokens are in the hands of banking/financial end users. The call for two factor authentication at login is paramount. However, even more important, the described case where the site trusts you once inside is also the case. A solution recently released called Phonefactor, allows for token-less two factor authentication at login, and can be used to also integrate a transactional verification over the structurally separate cellular network, requiring a pin identity to be entered. The structural separation transcends risk of identity, and by definition notifies someone immediately that a transaction under their identity is in progress. Thus, giving an individual a real time opportunity to issue a Phonefactor generated fraud alert. The key benefits of this process are as follows: the extremely simple way to implement two factor authentication in web banking, its tokenless so it costs less and is less complicated for the millions of non technical users that require 2 factor, and can be implemented at the application level versus putting a token in the hands of the masses and puts the risk of loss of the asset in the hands of the consumer.
Posted by Klint Borozan on Thursday, January 10 2008 12:19 AM


Tech Jobs Now!

Search for your ideal tech job:

Hands-on programming: Extract plain text from documents with Syncfusion's components

Web Development

Justin James recently tried Syncfusion's Essential DocIO and Essential PDF to help him extract text from documents he downloaded from the Internet. Here's the code he wrote to get the plain text.


Read more »



Will technology divide us further?

Blog thumbnail

So I finally watched 2012 over the weekend, but the film left me feeling extremely agitated.

The possibility that the world may meet its watery end in three years didn't..... by Eileen Yu

Read more »

Tags

  1. attack
  2. authentication and encryption
  3. blog
  4. data security
  5. e - mail
  6. hacking
  7. internet
  8. malware
  9. microsoft corp.
  10. network
  11. network security
  12. pc security
  13. researcher
  14. security
  15. security management
  16. software
  17. spam and phishing
  18. symantec corp.
  19. viruses and worms
  20. web