Skip to main content

Online banking is incredibly convenient for customers and extremely cost-effective for banks. Unfortunately, "phishing" and "pharming" are threatening to eliminate those cost savings and to destroy the trust in online banking. Recognizing this, the FFIEC, which consists of the FDIC, the OCC, the NCUA, the FRB and OTS has issued guidance requiring two-factor authentication for online banking by the end of 2006.

Phishing consists of sending out fake e-mails attempting to dupe users into entering their confidential information into phony websites. Phishers have improved from the early days of e-mails with misspellings. They now grab the look and feel of their e-mails from the targeted Web site. Pharming is a form of DNS poisoning combined with setting up a fake web site to redirect users without even sending them an e-mail. It is a powerful attack in that neither the end-users nor the targeted web site know that the attack has occurred, only the ISP's DNS server has actually been attacked.

Both these attacks can be prevented by a user savvy enough to validate the SSL certificate of the web site. Unfortunately, few users are that sophisticated and the phishers have become adept at faking SSL certificate validation with various pop-ups, etc. A better solution is to use two-factor authentication.

Of course, sending hardware tokens or key fobs to millions of customers who signed up for free checking would be prohibitively expensive. Further, a symmetric hardware or software token, such as SecurID, is only capable of one relationship - would each user have to carry 5-10 tokens? Replacement of lost tokens adds to their cost. Further, one-time-password tokens don't have the intelligence to help spot a pharming attack.

WiKID Strong Authentication is the perfect antidote for phishing. As a software-based two-factor authentication system, distribution costs are almost zero and initial validation can be automated. Because we use public key cryptography, one WiKID Strong Authentication client can work across multiple WiKID servers across multiple companies with no reduction in security, so a user who is both a corporate and personal banking customer wouldn't have to carry two tokens. However, a user could set up two tokens, one from work and one from home. Further, the WiKID PC client could easily be extended to direct the customer to the correct SSL-encrypted Web site and to validate that certificate.

Online Banking Problems

  • Increasing concern over fraud, "phishing"
  • DNS-cache poisoning and other 'pharming' techniques
  • Session hijacking trojans
  • Consumers increasingly unwilling to transact online
  • Competitive forces dictate a 'free' solution for end-users

WiKID Benefits

  • Use WiKID two-factor authentication for both sessions and for transactions - thwarting session hijacking trojans
  • WiKID's unique request-response architecture thwarts DNS-cache poisoning
  • Strong Authentication that is significantly less expensive than tokens, key fobs or smart cards
  • No additional hardware or key fob to distribute
  • Self-service set up for end-users
  • Only one token for multiple services
  • WiKID Strong Authentication is highly scalable and fault-tolerant
  • Co-branded two-factor client for no extra charge


Copyright © WiKID Systems, Inc. 2024 | Two-factor Authentication