Welcome to the SecAware blog

I spy with my beady eye ...

16 Nov 2006

Online banks vs users

A well-researched and well-written article about online banking user authentication discusses the range of authentication methods being used or trialled at a number of primarily US banks. Whereas the FFIEC regulations were anticipated to force US banks into using tokens for user authentication by the end of this year, banking customers are proving resistant to the technology and want an easier way to authenticate to the bank [the problem of the bank authenticating to the user merits a brief mention too]. User authentication is crucial to the issue of accountability: a customer cannot be held totally accountable for dubious transactions on his bank account if the bank cannot prove that the customer, rather than 'someone else' (normally a fraudster), logged in and submitted or authorized the transactions. The article discusses device as well as user authentication, in other words 'fingerprinting' the users' PCs to identify their normal machines. Not surprisingly, it barely touches on the back-end anti-fraud systems the banks are using to identify unusual customer activities that might be symptomatic of a fraud in progress: these details are proprietary to each bank (which limits the amount of information sharing between banks) and a closely guarded secret (to avoid tipping-off the very fraudsters they are designed to trap).

More accountability and authentication links

No comments:

Post a Comment