New Zealand's ASB Bank is introducing two-factor authentication in a bid to cut online fraud by "phishers" who trick bank customers into revealing their account details.
Two-factor authentication requires two independent factors to identify a person. Ideally, one is physical and the other mental, for example, using the Eftpos card in association with a Pin (personal identification number).
ASB plans to send text messages to the mobile phones of customers when they want to make a "significant" transaction, said Clayton Wakefield, the group general manager of technology and operations. A six-digit number will be sent to the cellphone to authenticate the user.
ASB is using an RSA Security product, RSA Mobile. RSA's president and chief executive, Art Coviello, visited New Zealand recently as part of the roll-out.
New Zealand bank customers are regularly targeted by such scams. Phishing attacks, as defined by the Anti-Phishing Working Group, use spoofed e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords.
The group's statistics suggest attacks are on the rise and nearly 75% of all attacks have happened in the past 12 months. As many as 5% of recipients of bogus contacts actually respond to them. A July study by security company MailFrontier suggested that 28% of US adults cannot spot phishing e-mails as fraudulent.
"Two-factor authentication will protect the bank and its customers, not only from phishing but several other forms of attack," said Coviello.
One option is for ASB to issue all its online customers with a physical device for authentication, such as a diskette or CD. While improving security, it would be a real nuisance for users who check their accounts at work and at home.
Because of the high penetration of cellphones and messaging, ASB and RSA have decided that text messaging is the way to go. Customers can use browsers to look at accounts with just a password. If the customer wants to perform a significant transaction, the ASB web server will transmit a pseudo-random six-digit number to their cellphone using SMS.
This six-digit number is only valid for a few minutes but by typing it into their browser, it allows the customer to perform the transactions. It ensures the person with the online password has also got the matching cellphone and - hopefully - that person is the account holder.
"ASB wants to take the initiative in improving authentication," said Wakefield. For people who share the same login and password to their joint account, Wakefield suggests they each get a separate login.
Of course, this authentication technology potentially supplants the Eftpos or credit card in many situations. ASB has already hooked up with Telecom to offer mTopup facilities for prepaid Telecom mobile phones.
They have also rolled out mPayments, that will allow a customer to do general banking and purchase goods from an mPayments merchant using a mobile phone and a password.
Chris Reynolds writes for Computerworld New Zealand Online