Westpac: SMS authentication doesn't help security

SMS-based two factor authentication has been touted as a way of improving online banking security but Westpac's head of information security disagrees.
Written by Liam Tung, Contributing Writer

SMS-based two factor authentication has been touted as a way of improving online banking security but Westpac's head of information security disagrees.

The National Australia Bank, Commonwealth Bank and HSBC currently offer their customers SMS-based two factor authentication -- where customers receive a one time password via mobile phones, which is used to verify a transaction. It seems Westpac is unlikely to go down the same path.

Rather than SMS-based authentication being about security, in its current form, it is more about consumer's perceived level of safety, said Westpac's head of information security, Matthew Woodrow, at a Financial Times event called Securing the Bank, which was held in Sydney last week.

"It's not to do with security at all ... consumers have expectations of security levels while using their mobile phones to do their banking. So you're not thinking about security at all, but you're thinking about the product and what consumers want," said Woodrow.

Besides Westpac, St George, SunCorp and ANZ have also held back from adopting SMS-based verification systems for their customers.

One reason why some banks have resisted the adoption of token- or SMS-based authentication could be the emerging Europlay, Visa and Mastercard (EMV) standard, which is tied to the release of contactless smartcards, according Intelligent Business Research Services, security analyst, James Turner.

"Once EMV standards are accepted, Internet banking is going to move into that," said Turner.

While a token-based system is considered too expensive and complicated to be worth implementing for consumers, technology and standards flux should not prevent the adoption of SMS-based authentication as temporary security measure, said Turner.

"No system the banks roll out will be foolproof, but we can't sit on our hands and do nothing. [SMS authentication] is much more straightforward to deploy than physical tokens -- and mobile phone penetration is massive. Also, the majority of people understand how to use SMS. From my perspective it's an elegant solution," said Turner.

A distinction should be made between SMS-based transaction authentication and that for logging in, said Turner. Transaction-based authentication only occurs when a transaction is made, so if someone has hacked into a person's account, that transaction will only proceed if a person responds to the SMS issued by the bank.

"If I'm out at a cafe and receive an SMS from my bank, and I know that I have not made that transaction, it doesn't go ahead. So even if the password has been compromised, they can't make the transaction."

Ray Stanton, BT's global head of business continuity, security and governance, said while two-factor authentication is "not for everyone", the issue is wrapped up in consumer confidence.

"If a bank wants to maintain credibility, then it has to do everything to maintain my confidence," Stanton told ZDNet Australia.

Editorial standards