National Australia Bank is confident that it has the tools it needs to leapfrog rivals by adopting three-factor authentication, adding an extra means of security to the normal two factors most Australian banks offer customers to secure their transactions.
Two-factor authentication improves on passwords by insisting that customers logging on to websites use something they know — their password — and something they have, usually a one-time password that users are sent by SMS. Another common source of one-time passwords is a "token", a small, electronic password-generating device that uses a pre-determined algorithm to generate codes unique to particular sites or services.
Tokens can be as simple as a small screen that displays an ever-changing sequence of numbers. Other tokens offer a keypad, so that users can enter a passphrase before one-time passwords are displayed. This kind of paranoia is common in the world of tokens, as typified by token pioneer RSA's offering of a token (since discontinued) with a battery made of mercury, a precaution that deprived the device of the electricity needed to function if hackers attempted to open the device.
The bank told ZDNet.com.au that 75 per cent of personal banking transactions, by value, were now protected by one-time passwords delivered by SMS. NAB added that it planned to insist business banking customers used two-factor authentication for some transactions. "Customers will be required to use 2FA to perform transaction above certain limit thresholds," a spokesperson said.
The bank is also considering the introduction of a third authentication factor, in the form of voiceprints. NAB introduced voice authentication to its call centres in June 2009, with the technology being used to identify callers to its phone banking systems as a way to improve the customer experience while also guarding against identity fraud.
A NAB spokesperson said the infrastructure in place for that solution "... could be leveraged to provide a 3FA solution for internet banking, including an improved customer experience for mobile banking".
NAB's interest in adding the third authentication factor is likely driven by its good experiences with two-factor authentication.
"The NAB SMS security and token-based solutions have proven effective in reducing the fraud risk and giving our customers the ability to bank online with confidence," the bank's spokesperson wrote.
Two-factor authentication has long been a favourite of the industry, which values it as a way to improve security of virtual private networks and other facilities providing access to sensitive information.
Banks value the technology as a way to make it harder for criminals to access bank accounts with a password alone, a common exploit enabled by social engineering attacks such as phishing. Banks also use two-factor authentication to verify individual transactions, with the one-time password used to verify that the person initiating a transaction is aware it is taking place.
Legitimate customers in possession of a one-time password therefore authenticate themselves in real time before transactions such as large transfers from their accounts, a tactic that makes it harder for criminals to conduct fraudulent transactions.
Australia's four big banks all offer two-factor authentication, with NAB launching SMS-based two-factor authentication for personal internet banking customers in 2005. The bank has since added, and mandated, token-based authentication for customers of its online business banking service.