CBA finalising second-factor roll-out

The Commonwealth Bank of Australia (CBA) has commenced a final roll-out of two-factor authentication (2FA) systems that will see 400,000 customers of its NetBank internet banking service upgraded to the secure log-in technology.

The Commonwealth Bank of Australia (CBA) has commenced a final roll-out of two-factor authentication (2FA) systems that will see 400,000 customers of its NetBank internet banking service upgraded to the secure log-in technology.

We paused it for a while as part of our internet banking upgrade and now we have resumed the program

Drew Unsworth, CBA's general manager for Online Banking

2FA systems improve the security of web applications by insisting on the use of a user's password and a second password generated specially for each session. The second password is delivered to a device that users of an online service already possess. CBA delivers its one-time passwords by SMS. Other 2FA solutions rely on a "token" — a device with a small numeric keypad and screen — that generates passwords.

CBA insists that its customers use 2FA when transferring funds to an external account they have not used before. 2FA is also required when changing name and address details online. Both scenarios rely on 2FA to prevent criminals stealing money from NetBank customers' accounts by transferring it to their own banks.

"We have 2.8 million to 3 million active NetBank customers," said Drew Unsworth, CBA's general manager for online banking. According to Unsworth, 2.6 million of those already had 2FA built into NetBank. All but 100,000 use SMS-based 2FA, with the remainder using tokens for reasons of preference or circumstances like workers in secure facilities where mobile phones are prohibited.

Unsworth said only 30 per cent of CBA customers received a 2FA SMS message each month, while token users received only 1.7 a month on average.

Yet the bank is pressing ahead with its roll-out as it feels the added security that it offers its customers is justified and appreciated, hence the push to the final 400,000 customers not already using 2FA.

Unsworth said the final roll-out was proceeding at 100,000 customers a week and would be complete by January. It's a timing issue, he said: "We paused it for a while as part of our internet banking upgrade and now we have resumed the program."

The bank will not, however, push further into 2FA by adopting tokens. Unsworth said the bank felt SMS offered more-than-adequate security and a superior customer experience, as the SMS format allows for information about transactions to be sent alongside the one-time password. "We can tell customers: 'This is a transaction for $100' and they appreciate that," Unsworth said.

The bank is notifying customers of the new service with an email that mentions a new message in the inbox of their NetBank accounts, a method of communication Unsworth said was generating a stronger response rate than snail mail.

He said he felt that customers strong take-up rate of 2FA showed that CBA customers have become mature in their ability to assess phishing emails.

"I think our customers are well educated about phishing," he said. "We have an email address hoax@cba.com.au — which we ask customers to use when they see suspicious email. We received 20,000 emails on a peak day from customers. Our customers are very well trained to see when something is suspicious."

"We are looking at new and different ways to use it," Unsworth said. "We can target it down to groups of 1000 customers."

"There are lots of different schools of thought around how we email. Some are compliance mails and we are making an effort to make those far more interesting than they are today. We want to give people more information, more context," he said.