computerwoche.de

Archiv

Australian banks reject Token security

01.03.2005
Von Michael Crawford

Australian banks have rejected the use of two-factor authentication such as tokens despite new research showing users are turning to traditional banking methods, because they have lost faith in online banking.

Forrester Research shows 14 percent of U.S.-based consumers have lost confidence in conducting business transactions online due to security issues such as Trojans, worms, keyloggers and phishing attacks.

But financial firms in Australia claim the figures do not translate locally.

HSBC e-commerce director, Jeff Cook, said customers have so far been unfazed by security issues created through online banking and said introducing token-based authentication might actually create more problems.

"Customers could end up with numerous tokens because they have different accounts," Cook said.

"There have been suggestions put forward for a federated model, but there are challenges in getting the industry to move forward together; instead they are authenticated to a third-party so consumers have one token rather than a massive key ring. I cannot see a competitive advantage by offering a token and if there was one it would be taken away by a fast follower.

"We were the first in market to offer second-tier authentication and have piloted numerous two-factor identification methods. In Singapore we use SMS and Brazil uses token-based authentication, but within the group we like to see what the industry is doing in an effort to make sure we have the best solution for the consumer rather than the bank."

Cook said the "floating keyboard" approach as currently used by HSBC for accessing accounts is appropriate for consumer security needs, adding that the bank would look to harden up security in stages before they considered using tokens.

Ross Murray, Bendigo Bank online solutions senior manager, said the bank has offered security tokens to customers since August last year, but cannot say exactly how much fraud the tokens have prevented.

Murray said the bank has offered more security than the floating keyboard approach.

"There are keyloggers kicking around called screen loggers which match what a user is seeing - in fact some technicians have pulled some apart and found some fairly sophisticated code with a good compression algorithm which seems to be organized and professional," he said.

RSA Security consumer authentication vice president, Chris Young, said using tokens would not only protect end users but the banks themselves.

"It is a symbiotic relationship; the problem you see in both the enterprise and consumer space is that everyone recognizes that passwords are insecure," Young said.

"As more users have more online accounts to manage they end up having a password overload - users are forced into using a simplified version of a password to share it across multiple sites and you end up using a less-secure password.

"With so many "high speed" options that give a user freedom and power, you need "super" controls to protect the assets of a firm and the end user."