Amid expanding incidents that suggest dual authentication for online banking is no longer adequate to prevent theft-or avoid potential legal culpability-firms such as Todos, ClairMail and PhoneFactor are betting institutions are ready to embrace new protections that take advantage of SMS, voice biometrics or secure browsers to further authenticate users and transactions. "I'm glad [out of band] is getting a reaction now. It does address some of the issues around online banking and security," says Stessa Cohen, research director, Gartner, who says recent surveys found nearly half of people who don't use online banking listed security as a reason.
The additional measures won't come too soon. The Internet Crime Complaint Center found that online fraud complaints jumped 23 percent in 2009 to 336,655 with a total loss of $560 million, more than doubling the $265 million in losses from 2008, and analyst say many banks are losing the battle against ACH fraud attacks on their business customers.
Tech firms think the attack trends will result in loosened IT purse strings. For example, PhoneFactor's product approach of authenticating consumers based on "what they have" (a phone) and "what they know" (an identifying characteristic such as a password) is being extended to include a consumer's actual voice. The firm's new biometric solution generates calls to a user, asking that user to repeat a pass phrase that's recorded at the time of registration. PhoneFactor then uses a hosted database and analytics to measure the characteristics of the users' voice against the initial vocal recording. "It's actually a third factor, or 'what you are'," says Steve Dispensa, PhoneFactor's CTO. PhoneFactor, which didn't release uptake beyond saying some clients were "in production," retains the computer coding that enables voice print algorithms. That allows biometrics to be accessed remotely.
George Tubin, senior research director, TowerGroup, says voice biometrics for authentication has always been a matter of "when, not if." But he says voice biometrics "still needs work. There's background noise and connection issues. There's also the matter of how well it functions."
Mobile tech firm ClairMail sends users one time PINs to phones via SMS, the PINS are entered into online banking session, serving as an "out of band" authentication technique-a crook would have to hack the user's PC and mobile phone at the same time. The firm also recently unveiled a new mobile connectivity architecture that accesses multiple firms and operations systems to aggregate data. "The mobile system can check with the call center or plug into the IVR system. If we need to escalate out of band [to authenticate or approve a suspicious transaction], we can connect with other channels," says Donald MacCormick, vp of product and engineering, ClairMail, who says the new architecture integrates ClairMail systems that many of its clients already use.
But out-of-band techniques can't always protect against man in the browser attacks. For that, Swedish tech firm Todos offers Autograf, which allows banks to set up secure sessions via the Internet, a user's computer and a smart card and reader. Autograf is designed to connect banks and smart card readers, bypassing the risk of man in the middle and other attacks against SSL protections on Web browsers. "Truly secure out -of-band technology has to take place in a device that cannot be tampered with, or accessed by anyone but the person who has the device, knows the PIN, and [in the case of smart card readers] holds the banking card," says John Ahlberg, a director at Todos, whose clients include ABN Amro, Handelsbankenand ICA Banken.
