Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Banks need two-factor authentication urgently, says Forrester

13 Apr 2005, 7:30 pm

Banks risk losing their on-line customers unless they change consumers' belief that internet banking is unsafe. And this transition involves deploying or strengthening two-factor authentication urgently, according to Forrester Research.
Benjamin Ensor, a senior analyst at Forrester, said: "Consumers' deep-seated security fears remain one of the biggest barriers to on-line banking use in Europe, particularly in countries like Italy, France, and the UK, where two-factor online banking authentication is rare or unknown. The more confidence net users have in security, the more likely they are to bank on-line."To understand how security fears affect internet users' adoption of on-line banking, Forrester asked 22,907 Europeans how concerned they are about the privacy and security of their personal details in a range of situations.Net users who worry about on-line security don't bank on-line, according to the research. Just 30% of European internet users are confident of the security of personal financial information, like credit and debit card numbers, when used to make transactions on-line. That matters, because net users who are confident of on-line security are four-and-a-half times more likely to use on-line banking than those who are not.Forrester found that two-fifths of the European net users who don't use on-line banking said the reason is because they worry about security. Worse, security fears don't just keep some consumers from signing up for on-line banking – they cause some existing on-line banking users to stop.Many consumers think on-line banking is less safe than paying by card in a restaurant. The majority of consumers in Germany, Spain, Italy, France, and the Netherlands are less concerned about paying by card in a restaurant than about using online banking.And Forrester believes internet users won't overcome their security fears without help from the banks. Banks can't rely on governments or ISPs to make the internet a safe place to do business – and they can't rely on their customers either, says the research firm.Despite their security worries, many net users don't take basic security precautions. So banks must both allay net users' fears and take measures to compensate for their inaction. Banks should look to educate net users about security precautions, says Forrester, not let usability fears compromise security. Banks should also, deploy or strengthen two-factor authentication urgently, and collaborate rather than compete on security, it suggests.What is two-factor authentication?To sign in to most on-line banks, a user is asked for information that he knows, such as his user ID and password, and sometimes his mother's maiden name. Many phishing scams exploit this with relative ease: a phishing e-mail lures a recipient to a web site that purports to be his bank's site, where this information is requested. That information is then fed by criminals into the genuine site of the victim's bank.Two-factor authentication adds another layer of security: the user is asked for something he knows as well as something he possesses (such as a device that displays a unique password that changes every minute); or something he is (using biometrics, such as a fingerprint or iris scan). Such added security is rare in consumer banking.Limitations of two-factor authenticationWhile two-factor authentication may handle basic phishing attacks, the nature of the attacks has evolved. In a recent article on the subject, security expert Bruce Schneier says two-factor authentication simply won't defend against phishing.Schneier, who founded Counterpane Internet Security, describes the criminals' new toolbox – featuring Trojan attacks and Man-in-the-Middle attacks. He concludes:
"I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."
"We already see smart Trojans and man-in-the-middle attacks bypassing authentication technologies that, until recently, were perceived as silver bullets", adds Uri Rivner, VP International Marketing for Cyota, a company that specialises in solutions to online fraud at financial institutions. "Even if you come up with something that looks like a silver bullet, you might find that it's pretty difficult to hit a moving target".And on-line fraud is indeed a rapidly moving target. Today's on-line criminals have greater capabilities, technologies, resources and motivation to conduct on-line fraud, resulting in wave after wave of new, innovative on-line attacks. They tend to be faster than the large financial organisations, not bound to policies and procedures."If the threats are highly adaptive, you need to think about building an adaptive defence mechanism", says Mr Rivner. "This means building multiple lines of defence: starting with solutions that neutralise specific fraud sources such a phishing or pharming; through stronger authentication solutions that can adapt to new threats; and finally, an on-line fraud detection solution that can monitor and manage the fraud that slips through the previous lines of defence".

Latest News

Employment Rights Act: implementation for UK employers in 2026 and beyond

Smaller asset management firms set to face sustainable reporting challenge

UK government forges ahead with ERA despite delays

Qatar set for overhaul of employees end of service payouts

Court of Appeal provides clarity for lenders amid ‘mortgage prisoner’ concerns

You might also like

Out-Law Analysis

Network brings Middle East GCs vital wellbeing support

A new wellbeing network seeks to raise awareness of the pressures placed on general counsel in the Middle East and support senior legal leaders across the region.

Equality, diversity & inclusion

Out-Law News

Alternative investment fund managers face rulebook update in Ireland

Ireland is likely to grow in popularity as a market for alternative lenders if rule changes proposed by the Central Bank of Ireland (CBI) are implemented, an expert has said.

Investment Funds

Out-Law News

No bespoke rules for AI, FCA re-emphasises

Financial services firms regulated in the UK will not face bespoke new rules to govern their use of AI, the sector’s conduct authority has re-confirmed.

Financial Services

Trending topics across the site:

Out-Law News

Australian Carbon Credit Units scheme needs further improvement, says review group

Show me more

Out-Law News

Bank of England corporate bond purchase 'must align with Paris Agreement goals'

Show me more

Out-Law News

China G20 coronavirus debt relief 'progressing well'

Show me more

Out-Law Analysis

Chinese financing: how will China restructure zero-interest loans?

Show me more

Out-Law News

Documents on CEO's personal phone should be disclosed, court rules

Show me more

Out-Law News

FCA finalises guidance to help firms support mortgage borrowers in difficulty

Show me more

Out-Law Analysis

FCA raises its expectations for firms’ focus on consumers

Show me more

Out-Law News

Financial institutions urged to comply with UAE virtual assets AML guidance

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.