Thales Blog

Rolling Out Two-factor Authentication

July 2, 2009

Many UK banks have already addressed one area of weakness in online transactions – online banking. The introduction of smart card or CAP readers to provide two-factor authentication is a significant step taken by some UK banks over the last 18 months.

According to APACS, online banking fraud losses were reduced by 33 per cent between 2006 and 2007 following the adoption of two-factor authentication. Although the APACS figures for the first half of 2008 show a marked increase in online banking fraud, this increase has largely been attributed to phishing. Two-factor authentication provides much stronger protection against phishing than username and password verification alone. In fact, a recent announcement by Barclays stated customers using two-factor authentication for online banking experience no fraud whatsoever.

For those banks which have not migrated to the CAP infrastructure, there are other solutions available to address online banking fraud. For example, in 2007, online finance service PayPal introduced a security token to tackle fraud, generating a random, six-digit code every 30 seconds which is then used as part of the login process for the website. Customers also need to enter their user name and password. Through the introduction of additional verification tools, PayPal hopes the token will help defeat identity theft and phishing attacks. However, even these tokens could be vulnerable to real-time ‘man-in-the-middle’ attacks, where the fraudster communicates with both the real server and the customer at the same time.

In late 2008, four European banks announced that they are piloting a new Visa card comprising a display for generating one-time numeric codes for consumers to use when transacting online or by telephone. MBNA, a Bank of America company in the UK, Cornèr Bank in Switzerland, Cal in Israel and IW Bank in Italy are all involved in the pilot trials of the new Visa PIN card which features an alpha-numeric display and a 12-button keypad built into the back of a conventional credit, debit or prepaid card. The card promises a three-year battery life, overcoming a potential stumbling block to such schemes in the past.

The mobile phone is the other obvious device that can be used for two-factor authentication. A mobile phone can be used for strong authentication by the bank sending security details to the customer via SMS. SMS password confirmation serves as dual-channel identity authentication, making the transaction stronger, but not as secure as Chip and PIN. The need for reliable network coverage to enable timely receipt and processing of the SMS password is another possible limitation of this authentication method.

While it is clear that significant inroads have been made in securing online banking, this is only a small element of the financial activity that consumers conduct online. Banks are yet to make any announcements regarding the extension of such security measures to the wider online environment for all types of transactions.