The Bank of America is to introduce two-factor, two-way
authentication to around 13 million online banking customers in an
attempt to reduce the threat of phishing attacks and identity
theft.
Unlike traditional two-factor authentication, the Bank of
America's Sitekey approach does not rely on expensive hardware
tokens to generate passwords.
Instead it uses a customer's PC or handheld device as the
second-factor hardware device. Technology from security company
Passmark takes a "fingerprint" of a customer's computer to verify
identification, using HHTP headers, software configurations,
hardware settings, IP address and geographic location.
Customers registering for the service choose a picture, write a
short phrase and pose three challenge questions to help
authenticate the bank to them. When they come to use the service,
they enter a log-in name and see the picture and their phrase,
confirming it is the bona fide banking site. The customer then
enters a password to use the service.
This combined approach is designed to protect against phishing
attacks that con users into entering log-in details into spoof
online banking sites, which hackers later use to access their
accounts.
If the user should try to log into the system from another PC,
the Bank of America service will seek answers to the three
challenge questions created at registration. The bank argues that
this will stop hackers accessing the system, even if they have the
password and log-in details.
George Tubin, senior analyst with TowerGroup, said the
technology could significantly boost confidence in online banking.
"Implementing two-way, two-factor authentication without hardware
is a significant step for online banking, particularly when taken
by a leading player. This approach is consumer-friendly and makes
it possible for the bank to scale rapidly and take it to the whole
client base."
The UK banks are planning to introduce two-factor authentication
for business customers using online banking services by the end of
the year, banking industry trade body Apacs said earlier this
month. It is co-ordinating the development of technical standards
for a system based on chip and PIN smartcards and a reader that
generates a one-time password.