Fraud Spike May Spur Out-of-Band Authentication

An increase in data breaches and online fraud has security vendors betting that banks will embrace systems that use text messages, voice biometrics or secure browsers to better authenticate people and transactions.

"I'm glad" out-of-band authentication "is getting a reaction now. It does address some of the issues around online banking and security," said Stessa Cohen, a research director with Gartner Inc. Recent surveys found that nearly half of the people who don't use online banking cite security as a key reason, Cohen said.

The Internet Crime Complaint Center found that online fraud complaints jumped 23% in 2009, to 336,655, with a total loss of $560 million, versus $265 million in 2008. Analysts say many banks are losing the battle against automated clearing house fraud attacks on their business customers.

Security vendors say they believe these trends will prompt banks to spend more money for better authentication systems.

PhoneFactor Inc. expands the authentication process for consumers beyond something they have (a phone) and something they know (a password) to include their actual voice. The Overland Park, Kan., company's biometric system generates calls to users, asking them to repeat a pass phrase that was recorded during an enrollment process.

PhoneFactor then uses a database and analytics to measure the characteristics of the users' voices against their initial recordings. "It's actually a third factor, or 'what you are,' " said Steve Dispensa, PhoneFactor's chief technology officer.

Some PhoneFactor clients are already "in production" with the system, Dispensa said, but he would not provide further details.

George Tubin, a senior research director for TowerGroup, said voice biometrics for authentication has always been a matter of "when, not if."

However, he said voice biometrics "still needs work. There's background noise and connection issues. There's also the matter of how well it functions."

The mobile banking technology company ClairMail Inc. sends users one-time PINs to phones via text messages. The PINs are entered into online banking sessions, serving as an out-of-band authentication technique — to access someone's account online, a crook would have to hack both the user's PC and mobile phone.

ClairMail, of Novato, Calif., recently unveiled a mobile system that accesses multiple firms and operations systems to aggregate data. "The mobile system can check with the call center or plug into the IVR system. If we need to escalate out of band [to authenticate or approve a suspicious transaction], we can connect with other channels," said Donald MacCormick, a vice president of product and engineering at the vendor. The new system integrates ClairMail systems that many of its clients already use, MacCormick said.

But out-of-band techniques can't always protect against man-in-the-browser attacks. For that, the Swedish tech company Todos offers Autograf, which allows banks to set up secure sessions via the Internet, a user's computer and a smart card and reader.

Autograf is designed to connect banks and smart card readers, bypassing the risk of man-in-the-middle and other browser-based attacks.

"Truly secure out-of-band technology has to take place in a device that cannot be tampered with, or accessed by anyone but the person who has the device, knows the PIN, and" in the case of smart card readers "holds the banking card," said John Ahlberg, a director at Todos, whose clients include ABN Amro and Handelsbankenand ICA Banken.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER