NAB eyes three-factor authentication

By Simon Sharwood, ZDNet.com.au

12 October 2009 04:44 PM

Tags: authentication, banking, internet banking, nab, netbank, security, factor authentication, token

National Australia Bank is confident that it has the tools it needs to leapfrog rivals by adopting three-factor authentication, adding an extra means of security to the normal two factors most Australian banks offer customers to secure their transactions.

(Civic street sign and NAB image by Bidgee, CC3.0)

Two-factor authentication improves on passwords by insisting that customers logging on to websites use something they know — their password — and something they have, usually a one-time password that users are sent by SMS. Another common source of one-time passwords is a "token", a small, electronic password-generating device that uses a pre-determined algorithm to generate codes unique to particular sites or services.

Tokens can be as simple as a small screen that displays an ever-changing sequence of numbers. Other tokens offer a keypad, so that users can enter a passphrase before one-time passwords are displayed. This kind of paranoia is common in the world of tokens, as typified by token pioneer RSA's offering of a token (since discontinued) with a battery made of mercury, a precaution that deprived the device of the electricity needed to function if hackers attempted to open the device.

The bank told ZDNet.com.au that 75 per cent of personal banking transactions, by value, were now protected by one-time passwords delivered by SMS. NAB added that it planned to insist business banking customers used two-factor authentication for some transactions. "Customers will be required to use 2FA to perform transaction above certain limit thresholds," a spokesperson said.

The bank is also considering the introduction of a third authentication factor, in the form of voiceprints. NAB introduced voice authentication to its call centres in June 2009, with the technology being used to identify callers to its phone banking systems as a way to improve the customer experience while also guarding against identity fraud.

A NAB spokesperson said the infrastructure in place for that solution "... could be leveraged to provide a 3FA solution for internet banking, including an improved customer experience for mobile banking".

NAB's interest in adding the third authentication factor is likely driven by its good experiences with two-factor authentication.

"The NAB SMS security and token-based solutions have proven effective in reducing the fraud risk and giving our customers the ability to bank online with confidence," the bank's spokesperson wrote.

Two-factor authentication has long been a favourite of the industry, which values it as a way to improve security of virtual private networks and other facilities providing access to sensitive information.

Banks value the technology as a way to make it harder for criminals to access bank accounts with a password alone, a common exploit enabled by social engineering attacks such as phishing. Banks also use two-factor authentication to verify individual transactions, with the one-time password used to verify that the person initiating a transaction is aware it is taking place.

Legitimate customers in possession of a one-time password therefore authenticate themselves in real time before transactions such as large transfers from their accounts, a tactic that makes it harder for criminals to conduct fraudulent transactions.

Australia's four big banks all offer two-factor authentication, with NAB launching SMS-based two-factor authentication for personal internet banking customers in 2005. The bank has since added, and mandated, token-based authentication for customers of its online business banking service.

Talkback (12)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 12 comments

Add your opinion

NAB should strengthen passwords first David Johnston -- 12/10/09

NAB should concentrate the basics by strengthening their passwords before trying to look all fancy. Current passwords are limited to just 6 to 8 alphanumeric characters. The length should be extended, and special characters should not only be allowed but enforced.

Identification by one word answers to questions Anonymous -- 12/10/09 (in reply to #320381733)

Surely a one word answer to a number of Questions on the screen, as in centrelink system, would suffice, as well as finger ,or thumbprint id.

each person knows more about their own past, the little things, that noone else knows; once in the computer, it is almost invisible, and rotating the options, even more so.

That way no one else can obtain all the necessary items in the correct order, if they are rotated,

Re: Identification by one word answers to questions Anonymous -- 13/10/09 (in reply to #320382027)

Paradoxically, the more you need to register the "little things" on different systems, the more people know those "little things".

And the likes of Facebook and Friends Reunited make those "little things" about your past so much easier to find...

Social Engineering mike smith -- 16/10/09 (in reply to #320382027)

For the one word answers.

I ring you up, pretend to be some bank, utility, etc.
Me: "Am I speaking to <full name>
You: yes
This is <name> from <institution> to verify your identity, I need to ask you some questions

Address date of birth, at this point I can get practically anything out of you. All without proving any kind of id on my part. Most utilities/banks are doing this now, and its wrong. Further, the number they dial from has its call id stripped.

NAB should strengthen passwords first Anonymous -- 15/10/09 (in reply to #320381733)

Password strength doesnt mean anything if people give away details via phishing. which i dare say would be the major reason people get compromised in the first place.

Longer password do not add to security Anonymous -- 16/10/09 (in reply to #320381733)

Passwords are not being compromised by brute force attacks attempting all the 6 or 8 letter words. You'll be locked out after no more than 6 attempts.

Longer passwords (and different password rules between sites) encourage people to write their passwords down which actually weakens security.

Passwords are compromised by phishing or key logging trojans where their length and complexity is irrelevant.

Longer passwords are easier to remember mike smith -- 16/10/09 (in reply to #320386744)

Pick a memorable sentence from your favourite movie, Add some capitalisation to it that isn't hard for you to remember, maybe 2 numbers or so.

eg "TheseArenttheDroids77!"

I'm less than keen on voice authentication, after a couple of weeks of a cold, my voice is less than authentic.

(No, this isn't my pw)

Longer Passwords do add security Tom Dixon -- 16/10/09 (in reply to #320386744)

I believe that this statement is incorrect as the longer the password the harder it is for someone to be able guess or determine the password via brute force. On top of this there are many password manager software apps that can be used so that you do not even need to remember the password and can be used to gain to the relevant sites using the software installed to protect your passwords.

ANZ doesn't offer 2FA Josh Daly -- 13/10/09

Regarding all 4 big banks offering 2FA - I am an ANZ customer and I have never seen any offering of 2FA on their website. Just login and password.

Re: ANZ doesn't offer 2FA Anonymous -- 13/10/09 (in reply to #320383625)

I use to work in ANZ. For the 2FA, you will have to request for it. It was deem too expensive by the business to mass deploy.