Online banking is incredibly convenient for customers and extremely cost-effective for banks. Unfortunately, "phishing" and "pharming" are threatening to eliminate those cost savings and to destroy the trust in online banking. Recognizing this, the FFIEC, which consists of the FDIC, the OCC, the NCUA, the FRB and OTS has issued guidance requiring two-factor authentication for online banking by the end of 2006.
Phishing consists of sending out fake e-mails attempting to dupe users into entering their confidential information into phony websites. Phishers have improved from the early days of e-mails with misspellings. They now grab the look and feel of their e-mails from the targeted Web site. Pharming is a form of DNS poisoning combined with setting up a fake web site to redirect users without even sending them an e-mail. It is a powerful attack in that neither the end-users nor the targeted web site know that the attack has occurred, only the ISP's DNS server has actually been attacked.
Both these attacks can be prevented by a user savvy enough to validate the SSL certificate of the web site. Unfortunately, few users are that sophisticated and the phishers have become adept at faking SSL certificate validation with various pop-ups, etc. A better solution is to use two-factor authentication.
Of course, sending hardware tokens or key fobs to millions of customers who signed up for free checking would be prohibitively expensive. Further, a symmetric hardware or software token, such as SecurID, is only capable of one relationship - would each user have to carry 5-10 tokens? Replacement of lost tokens adds to their cost. Further, one-time-password tokens don't have the intelligence to help spot a pharming attack.
WiKID Strong Authentication is the perfect antidote for phishing. As a software-based two-factor authentication system, distribution costs are almost zero and initial validation can be automated. Because we use public key cryptography, one WiKID Strong Authentication client can work across multiple WiKID servers across multiple companies with no reduction in security, so a user who is both a corporate and personal banking customer wouldn't have to carry two tokens. However, a user could set up two tokens, one from work and one from home. Further, the WiKID PC client could easily be extended to direct the customer to the correct SSL-encrypted Web site and to validate that certificate.
|Online Banking Problems