Good article at silicon.com on two-factor authentication. All Banks are underway with something in this space at the moment, but the article correctly asks, whether this will be adequate. Of course the answer is no, it will not be adequate. Its essential as the next step but additional steps will be required.

Banks aiming to alleviate online banking fears – Financial Services – Breaking Business and Technology News at silicon.com

Barclays recently announced it is stepping up its fight against fraudsters by using technology to check that each customer's spending behaviour matches his or her profile.

First, lets look at what Banks' are using:

Two factor software, that will, to differing degrees, analyse aspects of the customers "state", their PC, their connection, their usage patterns, etc, such that they can determine if that is in fact the right user, for that banking relationship.

• Cyota (Barclays announced use of them)
• Passmark
• Digital Resolve

Physical hardware, to authenticate online banking customers with "something they have"

• RSA tokens
• Vasko tokens

ATM security, to protect against PIN and card data theft

• ATM anti skimming devices being added to ATM's.

The silicon.com article goes on …

But will two-factor be a success? The technology has its strengths and
weaknesses but as it has not yet been tested on a wide scale, it's too
soon to tell.

This is the right question, because the criminals will be moving ahead, and some examples exist, and its unclear how the current suite of two-factor systems will address these evolving methods.

A leading security expert in the US has criticised the use of
two-factor authentication. Last year Bruce Schneier, CTO of
Counterpane, said it fails to address today's problems today.

Fraudsters,
he explained, will still be able to use the 'man in the middle attack',
where phishers set up dummy websites to intercept single-use passcodes,
or use malware
to piggyback on a session once a user logs into their account. More
than a year ago, security company MessageLabs encountered a piece of
malware that did this.

So, we have some way to go on this journey. Unfortunately the legislative approach adopted in the US, whereby Banks are required to adopt two-factor authentication, makes the situation worse by suggesting the government have the answer, whereas, clearly no-one does. We need grater effort to get ahead of the criminals, and thats where the government and business need to focus their efforts.

Relevance to Bankwatch:

Customer confidence, and reputational risk are at stake and a portfolio mix of efforts, including educational, and software are required to ensure safety of banks and customers information. Chip will help, but should not be held out as the complete answer, because criminals will be working on creative workarounds.