Banks Prove Themselves to Customers - and Vice Versa
Phishing attacks – where hackers use look-alike sites to trick consumers into sharing confidential information – cost Americans nearly $3 billion last year by one estimate, despite efforts by financial institutions to educate consumers about the risks. Those companies are now trying to put technology into the hands – or computers – of their customers in an attempt to mitigate the losses.
Zions Bank, with more than 130 branches across Utah and Idaho, decided that dual-factor authentication would allay consumer fears of someone else accessing their accounts while mitigating the risk of an unauthorized user tapping into someone's account after stealing their credentials. Dual-factor authentication combines something you know – your username and password – with something you have. In the case of Zions, it's actually something users and the bank have on their computer.
Lee Carter, president of online banking with Zions, says that their system (which they call SecureEntry) authenticates the bank to the user and the user to the bank. In the first case, when a user enrolls in SecureEntry, he or she chooses a photo icon from the site and a passphrase. "The purpose is that the next time they come back and log in, we will present that photo and passphrase to them so they can rest assured that they're at the right location – and not some fake site," Carter says.
Also during enrollment, the bank drops a cookie onto the user's computer and collects some basic forensics such as IP address (Carter declined to specify all the forensics being collected). When the same computer is used again to access the online bank account, the cookie and other forensics show that it's already been enrolled. In conjunction with the proper username and password, the bank can be reasonably sure that it's the real account holder and not somebody who simply stole those login credentials.
If a different computer is used to access the account, that machine also must be enrolled unless it's a public machine such as in an airport kiosk; in the latter case, it can remain unregistered, but the bank will present a series of challenge questions before it grants access, and the user is locked out after three mistaken answers.
"It's a strong authentication routine," Carter says. "It gets to the heart of a lot of automated attempts that we see pounding away at our login box trying to guess usernames and passwords. Now they may guess a username but they won't have been on that machine, so they won't successfully get through challenge or password questions." SecureEntry is built on a solution from PassMark, which was acquired last year by RSA, the Security Division of EMC.
Carter's biggest concern was that customers would find the solution hard to use and would flood the call center with questions. That hasn't happened, he says. Instead, only about two percent of enrolling customers called with a problem in most cases, the problem was that the customer had forgotten the answers to the challenge questions immediately after enrolling.
Other banks are exploring the practicality of providing customers with USB flash drives that will hold information that serves as the second half – the "what you have" portion – of dual-factor authentication; that way, users won't need to enroll any particular machine.
Asheem Chandna, a partner with venture-capital firm Greylock Partners, says that while use of this token-based technology will likely grow in importance in the future because it helps consumers to lock attackers out of their accounts, it has drawbacks. "The moment you talk about a USB token or separate token for security, it's yet another piece of technology that needs to be inserted into somebody's hands, and that has cost, complexity, and rollout associated with it." He says the type of solution Zions is using is more likely to be used by financial institutions, at least in the near term because it requires little from users and helps them recognize a fake banking site.
Carter says that the open architecture in the PassMark solution means that he can choose to provide some customers – say, those doing high-value wire transfers – with a token in the future, adding security to high-value transactions.