While this is overkill for logging in, this type of out of band authorisation is relevant for second factor authentication periodically, or for high value transactions. A customer logs on as usual with her username and password (the first factor); at logon, the ClairMail system automatically sends a time-expiring, one-time-PIN (OTP) to the customer’s mobile phone (the second factor) and the customer enters the OTP while online to validate the session. Source: ClairMail Delivers Major Breakthrough in Online Banking Security   Technorati tags: security, two+factor+authentication Continue reading ClairMail Delivers Major Breakthrough in Online Banking Security (press release)

In the first survey that I have seen since the implementations of Passmark, Alliance customers confirm the validity of the Alliance approach in a positive way. In a recent customer satisfaction survey of 10,000 online banking users conducted by Alliance & Leicester, 90% rated the security measures provided by the bank as good or excellent. In addition, 92% of respondents stated that they clearly understand the purpose of the new authentication system, and 83% confirmed that they would not enter their PIN into the Alliance & Leicester website without their phrase and image being displayed. Alliance & Leicester now has almost … Continue reading Alliance & Leicester Customers Embrace Adaptive Authentication Delivered by RSA, The Security Division of EMC

 Its official … online brokerage is the new target for the Eastern European crime gangs.  Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp., the nation’s fourth-largest online broker, said last week that “concerted rings” in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone Source: Hackers Zero In on Online Stock Accounts – washingtonpost.com The broker industry had been asleep … Continue reading Hackers Zero In on Online Stock Accounts – washingtonpost.com

 This is a great question asked at Javelin.  The issue is the Regulatory bodies push for two factor authentication, and what impact that will have on phishing, and identity theft. Its a good question, because its inherently wrong for a regulatory body to define a solution (two factor) when in fact what they mean is “solve identity theft”.  Of course that would be too broad, but that is the real question. Its worth noting that FFIEC were deliberately open about the solution, mentioning the inadequacy of single factor, but its largely banks’ interpretation of the rules that landed us on two … Continue reading Javelin | Will The FFIEC Mandate Change Identity Fraud?

 Here is a follow up to an opinion we voiced about the adequacy of two factor here, here, Citi tokens defeated here, and we questioned Barclays use of tokens here. Just to be clear.  The issue is not two factor authentication;  the model that adds additional customer verification questions.  Two factor using tokens is the debate, and I am on the side of Alliance and Leicester and Egg, here. More UK banks have expressed concerns over industry plans for a standard card reader to be used for authenticating online banking transactions. Industry body Apacs is leading development of a standard model … Continue reading Banks wary of two-factor model using tokens

 Javelin release their annual Banking Identity Safety Scorecard that rates 24 of the top US financial institutions. The report goes on to recommend additional measures Banks could use and account alerts top the list. One way to improve prevention and detection is through alerts. Banks could let customers set up e-mail or cell phone text message alerts, for example, Javelin Strategy & Research said. Another way could be to promote online account monitoring and advanced protection against phishing scams that seek to trick people into giving up account details, the research firm said. Source: Banks rated for ID theft | … Continue reading Bank of America top Identity Safety scorecard | Javelin

 Chris Skinner does a great job in this article, of describing the challenges facing banks, and validates the points we have discussed about the importance of following customers’ patterns. …   the result is five-factor authentication for online and offline banking services. The five factors being: something you have, such as a card, a key or a radio frequency chip; something you know, such as a PIN, a password or an answer to a unique question; something you are, such as your unique way of signing or your voiceprint; your behaviours, based upon your usual transactions and whether this transaction fits … Continue reading Two factor authentication is not enough

 Courtesy of PaymentNews, here is their review of FFIEC Internet Banking security guidance to date.  Its notable the mix of solution, and the large banks have multiple solutions to address risk management, and well as specific authentication mechanisms, such as RSA tokens, or RSA/ Passmark. Table 1 – Publicly Announced Implementations in response to FFIEC Guidance on Internet Banking Bank Date, Component Source, Vendor Wells FargoJim Smith, EVP, Internet Channel and Products“No one solution can solve the problem; we favor a layered security approach” 8/28/06 WFB Press Release   Real Time Risk Analysis Bharosa   Integrated Data Quova   Transaction and … Continue reading Payments News: FFIEC Internet Banking Guidance: Banks Begin to Show Their Hands