Abandon tokens, biometrics and smartcards, says security firm

Anti-fraud firm Cyota explains that if the transaction is then verified, its eSphinx system updates its user profile so as not to red-flag that particular behaviour at a later date.Banks risk losing their on-line customers unless they change consumer perceptions that internet banking is unsafe. A survey by Forrester Research published last month suggests that only 30% of European internet users are confident of the security of personal financial information on-line.But Cyota recommends against the use of authentication devices to combat common phishing attacks and new emerging threats – despite a recommendation in Forrester's report for the immediate deployment of such hardware.Devices such as tokens, biometrics and smartcards only authenticate users at the point of entry, and provide no protection once fraudsters gain access to an account – which one must assume they will, says Cyota. Instead, banks and financial institutions need to take a layered approach to security, including prevention, strong authentication and fraud management.At the moment the majority of security providers rely on usernames and passwords and a request for extra information, such as your mother's maiden name, before giving access to a secure site.However, this type of security system has been shown to be ineffective and can easily be exploited by a phishing attack – where an e-mail from an attacker lures a recipient to a web site that purports to be his bank's site. This security information is requested and then fed by the attacker into the genuine site of the victim's bank.A popular suggestion is to add another layer of authentication, where the user is asked for something he knows as well as something he possesses (such as a device that displays a unique password that changes every minute); or something he is (using biometrics, such as a fingerprint or iris scan).But such two-factor authentication systems have been the subject of recent debate in the industry. Security expert Bruce Schneier recently wrote that banks will spend millions deploying two-factor authentication tokens. "Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets," said Schneier, "but in the end there will be a negligible drop in the amount of fraud and identity theft."According to Amir Orad, Cyota's executive vice president of marketing, this type of hardware-based solution tends to be cumbersome, expensive and difficult to deploy. He added: "they typically solve yesterday's fraud problems, such as phishing, but not the emerging threats such as Trojans and man-in-the-middle attacks."Cyota's eSphinx solution assesses on-line banking activities using a customer profile. If its software detects potential fraud by gross deviations from established on-line banking behaviours – for example, by logging in from obscure locations or emptying an account – the system will call the user and ask them to provide additional authentication. Once the transaction is verified, the system will learn from the new behaviour and update the customer profile to avoid triggering similar alerts in the future.Cyota claims that the system is a low-cost alternative to hardware-based strong authentication solutions, and is completely invisible to 95% of accountholders, allowing banks to improve security without compromising usability.