I recently received a nice letter from my bank explaining that I was going to have to get used to a new way of conducting online banking. It seems that a group of regulators called the Federal Financial Institutions Examinations Council is requiring that banking websites implement so-called “two-factor authentication” (T-FA) schemes by the end of the year.
T-FA is a way to strengthen authentication (or, “signing on”) by requiring more than mere user names and passwords, which criminals have guessed, stolen, hacked and cracked over the years to steal untold billions of dollars.
The basic concept of T-FA is to require, when signing on to a website, a combination of two-factors: something that you know (a user name and password) and something that you have. It’s the “something that you have” factor that adds the extra layer of security, and that end of the scheme has been left up to individual banks to determine. Some banks are issuing hardware “smart cards” and readers to their customers, which, after the customer enters their user name and password, must be swiped through the card reader before they are allowed to sign on. Other banks are issuing USB “dongles” or “tokens” which plug into the customer’s computer and perform a similar function. Other options include biometric technologies, such as fingerprint readers.
My bank chose the cheap way out by issuing a “two-factor matrix,” which they email to customers. The fancy term “two-factor matrix” is really nothing more than tech-speak for a chart comprised of rows of letters and numbers. Each time you sign on, after entering your user name and password, you are required to enter a different combination of characters from the chart. This is, in effect, a single-use password, as it must be different every time you sign on. It sounds complicated, but it’s not. It’s a technology not too far removed from a Little Orphan Annie Decoder Ring.
Still, this version of two-factor authentication is better than what my bank used to provide, even if it does seem a bit cheesy. However, even the most expensive T-FA solutions are still vulnerable to “trojan” and “man-in-the-middle” attacks, such as when a customer signs on to a fake bank website. Criminals simply forward the sign on information to the bank’s real website, and loot the account. Alternately, a customer inadvertently installs a malicious program called a “trojan,” which the criminal uses to piggyback onto the online banking session. At no time does the criminal even have to know either of the two sign on factors.
I predict that two-factor authentication will be effective in slowing down online fraud for a year or two, and then banks will have to once again increase their security methods. Things could get so bad that we might even have to revert to the “old” days of actually visiting the bank in person to get our money.