Anti-Phishing with Two Factor Authentication
By John B. Frank, Strategist with HomeATM ePayment Solutions
Banks have a serious issue with phishing attacks aimed at their online banking customers, and it’s time they take a long and serious look at a simple solution: Two Factor Authentication.
The nature of this beast known as phishing is to lure these online banking folks, with a sophisticated and genuine looking trap…a trap which includes genuine looking emails and which provide links to genuine looking sites (a new “type” of bait and switch).
Once there, users are simply instructed to do what they’ve been programmed to do since day one with online banking.
They are told to “type” in their username and password to log-in. Problem is, once they “type” in their “username | password” they provide full access of their accounts to the phishers.
If online banking customers had not been originally programmed to “type” anything into a box the first place, then this type of phishing would not have cropped up in the second place.
Case in point: Imagine if you will, that when ATM’s first came out, users were instructed to “make up” a username and password, which would have provided full access to ATM’s? How smart would that have been?
Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN.
It was 2FA (two factor authentication) 101: What you “have” (card) and what you “know” (PIN).
I’m puzzled…perplexed at best.
Why would banks believe, even for a moment, that online banking log-in should be any different? What has happened since then to make them believe “typing” is safer than “swiping?” Why are they suddenly dissin’ the card?
Window of Opportunity
Instead of dissin’ the card, I say “DISCARD” this antiquated “username | password” log-in process and instruct customers “USE THEIR CARD” (what they have) and their PIN (what they know) thereby replicating the exact same process these customers use gain access to an ATM. True 2FA. The only difference would be that authentication would be done in the safety (no skimmers/no cameras) of the online banking customers own home…with their HomeATM SafeTPIN!
If the online banking community introduced their customers to a simple new log-in process, one whereby they require that their online banking customers log-in the “same way” they do at ATM’s… with “THEIR CARD, THEIR PIN, & THEIR HOMEATM,” they would greatly enhance the security of their online banking sites.
This two factor secure log-in would eliminate the issues they are having with these phishing attacks altogether. My opinion is that it is an opportunity they can’t afford to pass by.
Why? Because it would also eliminate issues they are having with cloned websites, cloned cards, DNS Hijacking, etc. In addition, they would arm their online banking customers with a weapon of phish destruction, one that fights cybercrime and “empowers” them as mini-profit centers. Anyone disagree that Bill Payments, Money Transfer, and secure online transactions all make money for banks?
That said, I humbly suggest it’s high time to “study these issues” more closely. There are three “key” issues banks need to contend with if they want to come out of this ahead. I call it online banking “CPR.”
Let’s look at “these issues” one at a time
1. Bank “ISSUES” the Card,
2. Bank “ISSUES” the PIN,
3. So Where’s the Issue with a secure Card/PIN Reader?
Did you know that the average phishing attack costs the bank and the bank customer $350. From Gartner Research:
Phishing attacks are costly:
According to research firm, Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)
The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That’s $196 to the banks and $154 to the consumers.)
“The findings underline the fact that the war against phishing is far from over,” said Avivah Litan, analyst at Gartner. Yes, the very same Avivah Litan who says “never” enter your PIN on the Internet unless it’s hardware based.
Banks could (in quantity) issue around 70 HomeATM’s for each successful phishing attack. It’s the last remaining issue they need to contend with.
Author’s Note: Our PCI 2.0 Certified PED also “encrypts” the Track 2 data and utilizes DUKPT key management as an additional layer of security.
HomeATM’s Engineering Team Designed and Manufactures the World’s FIRST and ONLY PCI 2.0 PIN Entry Device Specifically Designed for eCommerce. Our device provides “Card Present” rates on credit cards and “True PIN Debit” Interchange on debit cards as well as secure 2FA authentication for online banking sites and live, “real-time” money transfer from P2P, B2B, B2P, P2B and mobile.
To learn more about our product’s and services click here or email us at: info@homeatm.net
* * *
Stay Informed With ISR Feeds and Email Alerts Here:
Filed under: D&O Liability, FEATURE ARTICLE, Financial, HomeATM, Insider Threat, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, privacy
Comments
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
