The Commonwealth Bank of Australia (CBA) has commenced a final roll-out of two-factor authentication (2FA) systems that will see 400,000 customers of its NetBank internet banking service upgraded to the secure log-in technology.
The Commonwealth Bank of Australia (CBA) has commenced a
final roll-out of two-factor authentication (2FA) systems that will
see 400,000 customers of its NetBank internet banking service
upgraded to the secure log-in technology.
We paused it for a while as part of our internet banking upgrade and now we have resumed the program
Drew Unsworth, CBA's general manager for Online Banking
2FA systems improve the security of web applications by
insisting on the use of a user's password and a second password
generated specially for each session. The second password is
delivered to a device that users of an online service already
possess. CBA delivers its one-time passwords by SMS. Other 2FA
solutions rely on a "token" — a device with a small numeric keypad
and screen — that generates passwords.
CBA insists that its customers use 2FA when transferring funds
to an external account they have not used before. 2FA is also
required when changing name and address details online. Both
scenarios rely on 2FA to prevent criminals stealing money from
NetBank customers' accounts by transferring it to their own
banks.
"We have 2.8 million to 3 million active NetBank customers,"
said Drew Unsworth, CBA's general manager for online banking. According to Unsworth, 2.6
million of those already had 2FA built into
NetBank. All but 100,000 use SMS-based 2FA, with the remainder
using tokens for reasons of preference or circumstances like
workers in secure facilities where mobile phones are
prohibited.
Unsworth said only 30 per cent of CBA customers received a 2FA SMS
message each month, while token users received only 1.7 a month on
average.
Yet the bank is pressing ahead with its roll-out as it feels the
added security that it offers its customers is justified and appreciated,
hence the push to the final 400,000 customers not already using
2FA.
Unsworth said the final roll-out was proceeding at 100,000
customers a week and would be complete by January. It's a timing issue, he said: "We paused it for a while as part
of our internet banking upgrade and now we have resumed the
program."
The bank will not, however, push further into 2FA by adopting
tokens. Unsworth said the bank felt SMS offered more-than-adequate
security and a superior customer experience, as the SMS format
allows for information about transactions to be sent alongside the
one-time password. "We can tell customers: 'This is a transaction
for $100' and they appreciate that," Unsworth said.
The bank is notifying customers of the new service with an email that
mentions a new message in the inbox of their NetBank accounts, a
method of communication Unsworth said was generating a stronger
response rate than snail mail.
He said he felt that customers strong take-up rate of 2FA showed
that CBA customers have become mature in their ability to assess
phishing emails.
"I think our customers are well educated about phishing," he
said. "We have an email address hoax@cba.com.au — which we ask
customers to use when they see suspicious email. We received 20,000
emails on a peak day from customers. Our customers are very well
trained to see when something is suspicious."
"We are looking at new and different ways to use it," Unsworth
said. "We can target it down to groups of 1000 customers."
"There are lots of different schools of thought around how we
email. Some are compliance mails and we are making an effort to
make those far more interesting than they are today. We want to
give people more information, more context," he said.
