- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
As cybercrime threatens online banking security and technologists debate the efficacy of two-factor authentication solutions, business and technical questions remain.
In a Network World "Face-Off" last year, RSA Security's Joe Uniejewski argued for two-factor authentication (which regulatory authorities recommend), while Counterpane's Bruce Schneier pointed out that attackers would find ways around this and banks would be better off addressing transaction security. I believe stronger authentication will help, but the industry also must focus on user awareness, computer security, network hygiene and business questions around transaction security.
I recently attended a meeting of NACHA-The Electronic Payments Association, at which it became clear that regulators are fairly open-minded about evaluating how banks address risk and that a ferment of creative energy and innovation is going into this area. The technical discussion is all about what one considers an authentication factor.
Is Authentify's voice recording, collected on the phone at the time of a transaction for audit purposes, a factor? Is Bank of America's SiteKey from Passmark, which displays a picture chosen by the user to authenticate the site, a factor? How about RSA Security's fraud network acquired from Cyota? Or 41st Parameter's sophisticated real-time device identification? Or Strikeforce Technology's plethora of plug-in functions? Could eWise's innovative, human-only-readable watermark hold the key? The latter weaves a transaction description such as "Wire $5,000 to Shanghai" alongside an illustrated confirmation code for the user to enter (or not). Potentially, the answer to all of these questions is yes.
From a business perspective, banks are much less concerned about losses to fraud than they are about scaring away customers. To them, online banking represents a Mecca of huge cost savings and revenue opportunities. The technical solutions that win out for them will be those that offer unobtrusive but effective protection.
The question no one seems to be asking out loud is: Who owns the liability? Astute users remain uneasy about what happens if a fraudster cleans out their bank account in a world of strong authentication. Will the bank make good the user's losses out of concern for its reputation, or will it hold the user negligent? A bank that invests in one-time password tokens will argue the devices are effective and thus, only the user could take money out of the account.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment