Tokens no silver bullet for security: banks

Authentication tokens used for online transactions will not stop identity theft, banks have warned as they search for other measures to secure customer accounts.

Many banks already issue business customers password-generating tokens to access online accounts. However, the skill of modern identity thieves has some in the industry worried they will soon work out how to penetrate such two-factor authentication.

"One of the biggest challenges is the continuing change in methods of attack," David Harley, senior manager, fraud prevention and control, Bendigo Bank, told a finance technology conference.

"The crooks that we face have no limit on their R&D budget. If they want something they don't have to go through a business portal, they don't to go to an architecture and estimation committee, and they don't have to go in six month release cycles."

Bendigo first issued tokens two years ago to customers with accounts of more than AU$5,000.

This failed to stop identity thieves, however. Miscreants found other means to get around the improved measures.

"What we found was there was then a lot of [phishing] focus on customers under AU$5,000," said Harley.

"We recognise that whatever level we put the tokens in at, the crooks will go to the next level down, and they will try and do broader attacks."

Yet, Bendigo still recommends all customers purchase one of its tokens as its still offers the best protection on the market today.

Another bank using tokens for two-factor authentication is HSBC.

Liam Griffith, IT security manager at HSBC, said although the bank improved security with the tokens, it was looking for other measures too.

"[We are] looking at different ways that we can protect the customer in the future," he said.

"For us, two factor has a limited time span...we're trying to be proactive."

His comments were backed by general manager of e-commerce for the Commonwealth Bank, Marcus Judge, who said tokens could not guarrantee online security.

"You can't ever absolutely be certain that people cannot steal your money from an Internet banking account. You can put it under your bed or bury it in a cave, but you can never be absolutely certain that somebody can't steal it," Judge said.

"We don't see two-factor authentication as a one shot panacea by any means, we see it as part of the mix, an important part of the mix."

A usability issue surrounding the tokens often compounds the problem, according to Bendigo's Harley.

"We've had a heap of people who've rung up and complained about the token because the token doesn't work," he said.

Some customers tried to generate passwords while the token was upside down, in which case "there's virtually no way known the token will work," he said.

Any new authentication measure had to account for different ways customers might use the technology, according to Harley.