For fear of becomming(sic) the next victim of identity theft, 150 million U.S. consumers don’t bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers’ confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.
I don’t doubt that US banks, after having received all that tax payer money, will spend some of it on biometrics and multi-factor authentication. I predict that they will eventually abandon ship on authentication technology for home banking, when they realize that authentication technology doesn’t protect their customers on the Internet.
Multi-factor doesn’t prevent phishing. It doesn’t prevent identity theft. It doesn’t secure online accounts from fraudulent transactions. Take two attacks for example:
Man in the middle – an attacker sets up a fake banking web site and gets people to login, by passing the request for authentication thru to the real bank – the attacker doesn’t care if the user is authenticated with biometrics or with out of band SMS messages – that’s great. He still gets the user into his system in order to harvest usernames, passwords, credit cards and account numbers
Trojan horse – an attacker distributes a Trojan on a CD or from a online adult content site. When the user logs in to the bona-fide banking site, he can use the connection to perform fraudulent transactions – like account withdrawals and funds transfers while the user is logged-in and authenticated.
Multi-factor and biometrics work well in a controlled environment like a corporate local area network but in the wild – the threats are changing too fast for multi-factor authentication solutions to provide effective data security.
What will get more people to use online banking?
- Trusting their bank.
- Banks that don’t lose customer data
- A simple but robust online login method (account, username, password) that uses offline, face to face authentication to validate identity before issuing a username/password and enforces strong, frequently updated passwords.
- Education about the dangers of phishing
- A well engineered online banking web site that doesn’t require hardware dongles and Java or ActiveX client software