Tuesday, July 19, 2005

Phishing Risk: Two-Factor Authentication to the Rescue...

In a recent banking survey conducted by the Risk Management Association (RMA) on Operational Risk Management, 105 institutions responded. Over one third indicated their greatest risk was "Unauthorized Access" from both insiders and outsiders together with attacks on bank systems.

What was obvious from the survey was that no matter the size of the institution, both Internet and Vendor Risk are pervasive. With banks with assets over $100Bn, the highest risk was ineffective IT planning that aligned investment with business priorities.

It's no wonder that institutions like the National Australia Bank (NAB) and others are losing tens of millions of dollars per year from Internet Banking Fraud.

NAB is losing about A$1 million a month to Internet banking fraud, according to a confidential internal document acquired by Australian newspaper Herald Sun BusinessDaily.

According to the newspaper article, the document was issued to senior technology staff as part of a drive to improve online security and stem a "tide of losses".

The report warns that Internet banking fraud is on the increase with criminals using "increasingly sophisticated" ways of stealing customers' details. The document also claims fraudsters are tricking Web banking customers into becoming couriers and moving stolen funds out of the country.


With two-factor authentication in the wind, it's no wonder you see vendors scrambling for time with bankers CIO's to sway their thinking on the best approach to this business issue.

According to figures from The Australian Bankers Association (ABA), the country's banks lost A$10 million to online fraud last year.

The ABA said in March that Australian banks would introduce an industry standard for two-factor authentication for verifying online banking customers later this year, although each bank is free to choose its own method of secondary identification.


Bank of America has already adopted the PassMark technology. Sitekey is one anti-phishing method that associates an image with an online ID to give the consumer a higher level of assurance that they are logging into the correct site. E-Trade has chosen RSA's technology for their site.

Putting an end to account hijacking is a primary concern of the US FDIC and they welcome your input.

No comments: