The mobile phone -- a sensible authentication device

Wednesday December 13th, 2006

By Pat GRAY

There's been even more talk about tokens in Internet banking solutions.

These nifty tokens -- which slip on to your key-ring -- generate a numerical password every 30 seconds, displayed on a small LCD panel, that stays synchronised with the bank. So even if someone has your username and password, they can't access your account without your token.

Unfortunately, there's already been an "inline" attack that demonstrated the uselessness of tokens. Phishing gangs targeting Citibank customers in the US simply asked victims to input their token password as well. The token password was passed -- in real time -- to the bank. The poor suckers' accounts were drained immediately.

Sending one-time SMS passwords to users seems more logical. But I think the trick has more to do with when to send the authentication challenge.

If banks started texting single-use passwords every time a user wanted to transfer money out of their accounts, fraud would be significantly reduced. It would render the phishing techniques used to snare victims completely obsolete.

Even if they obtained the username and password of a user, a message hitting their phone saying "Enter password x7hskf to transfer $167 to account 04666 19372. This is not a test. Your money will be transferred." would surely set the alarm bells ringing in the target's mind.

This could get a little tricky for users when they're overseas and don't have their mobile phones on them, but surely banks could allow users to switch off the extra authentication for $10 a month. That would provide an incentive for customers to use the authentication, and would probably cover the cost of fraud affecting travellers' accounts.

Why aren't we seeing systems like these? Perhaps the cost of provisioning a system like this runs higher than paying the fraudsters.


      Subscribe to Hydrapinion RSS 2.0 feed Subscribe to Hydrapinion

Recent Posts

3 comments

Comment from: Stephen WITHERS [Member] Email
NAB does this, but fortunately it's not mandatory. Despite the statistics, not everyone has a mobile phone. Also, my experience is that SMSes aren't always delivered in real time - I've had them show up three days after they were sent.

Another worry is that banks tend to start by offering services for free, and then they start charging. How long will it take before there's an extra 20c on each transaction to cover the SMS cost? Remember, this is to protect the bank, not you. Sure, you are inconvenienced if someone else drains your account, but it's up to the bank to make good if they let that happen, just as if they cashed a cheque with a forged signature.
14/12/06 @ 16:01
Comment from: Mobile Phones [Visitor] Email
http://www.dealsdepot.com.au

This is an interesting idea, and I think that you are right in suggesting that it would drastically reduce the possibility of fraud. It is curious to me, though, that the technology that is meant to make our lives easier often winds up making it more difficult. I am not that old, but I still remember a time when you could simply go down to the bank and retrieve your money. Granted, laptops and cells were meant to make that process faster and easier and to give us the ability to do it from anywhere. Yet we have to keep dozens of different passwords in our heads, or go through a long process of emailing back and forth before we can get our hands on anything. The real problem with digital technology is that it does exactly what it was designed to do. It allows us to collect and store information of incredible size and provides almost instantaneous access to that information. The problem is, when you put that much information together and make it so readily accessible, it can be retrieved just as quickly and in just as big amounts by those who wish to do harm.
31/05/07 @ 04:33
Comment from: Mobile Phones [Visitor] Email
http://www.factoryfast.com.au

Here’s the central problem – technology, as Einstein noted many years ago, is morally neutral. In other words, it can always be used in both positive and negative ways. The whole purpose of the information revolution is to make exponentially more information available at incredible rates of speed and in as easy a manner as possible. For the average consumer or citizen, this is a clear benefit. It means we can check our stocks, find a local restaurant that serves vegetarian dishes, and look up old classmates. Yet it is as equally useful to those who would seek to do harm. Just as with atom bombs, there is always the possibility that someone will be able to utilize this technology for negative purposes. What this means is that no backup or safety measure will ever be fool-proof. The only way to completely insure that our information will remain safe is to eliminate technology altogether.
15/06/07 @ 13:27