SINGAPORE--One of the biggest challenges in Internet banking is finding the balance between security and convenience, said an Oracle executive.
Hosting a media roundtable here Wednesday, Roman Tuma, Oracle's regional director for security and identity management solutions, noted that consumers do recognize two-factor authentication--through a hardware token--is a necessary security layer. However, most find it troublesome and are shunning online banking because of the added inconvenience, he said.
Detailing figures from an IDC Financial Insights survey published in October 2007, Tuma said 82 percent of consumers surveyed understood the purpose of bank-issued tokens. However, 74.3 percent said the token was "troublesome" and as a result, some 38 percent said they used online banking less often.
Beyond issues about the added inconvenience, Tuma noted that two-factor technology does not provide a sufficient security level.
"With Internet banking, once you pass the login page, the site trusts you. But the world is looking for something more," he said.
Tuma explained that monitoring a customer's transaction behavior after he has logged in, is the next level of security that banks need to implement.
User activity is measured against factors such as the customer's location, the type of device used, and unusual activity. The information is then logged and sent to network administrators if alarm bells need to be triggered.
Other forms of authentication banks should deploy include adding extra layers of security on top of existing login pages. These could complement methods such as preventing mouseclick logging by randomizing the placement of the login box, Tuma said.
In Singapore, two-factor authentication use has been mandated by the Monetary Authority of Singapore (MAS) since December 2006.
Play video
Full disclosure-Klint Borozan is a SVP for Positive Networks
The article discussing two factor authentication is entirely accurate in its perception of risk and process when tokens are in the hands of banking/financial end users. The call for two factor authentication at login is paramount. However, even more important, the described case where the site trusts you once inside is also the case. A solution recently released called Phonefactor, allows for token-less two factor authentication at login, and can be used to also integrate a transactional verification over the structurally separate cellular network, requiring a pin identity to be entered. The structural separation transcends risk of identity, and by definition notifies someone immediately that a transaction under their identity is in progress. Thus, giving an individual a real time opportunity to issue a Phonefactor generated fraud alert. The key benefits of this process are as follows: the extremely simple way to implement two factor authentication in web banking, its tokenless so it costs less and is less complicated for the millions of non technical users that require 2 factor, and can be implemented at the application level versus putting a token in the hands of the masses and puts the risk of loss of the asset in the hands of the consumer.
Posted by Klint Borozan on Thursday, January 10 2008 12:19 AM