Online Banking Security
SolidPass security tokens enable online banking security and fraud prevention. SolidPass is two-way, two-channel and two-factor authentication technology that provides higher security and protection. Internet banking threats include: keylogging, spoofing, trojans, browser poisoning, phishing, pharming, hacking, man-in-the-middle (MitM) and stolen devices.
Importance of Internet Banking Security
Conducting financial transactions was made easy with online banking (or Internet banking) that allows customers to conduct financial transactions on a secure website. However, with increased convenience, the threats of online banking fraud have also become a greater concern. Customer confidence and loyalty to a bank with online banking services depend greatly on the protection against banking fraud and identity theft. Financial institutions are responding by using security tokens in addition to static user name and passwords. For ubiquitous reach, banks are adopting mobile and software-based tokens.
Protection Through Authentication
Protection through a single username/password authentication is not considered secure enough for personal online banking applications in some countries. The PIN/TAN system is one in which the PIN represents a password used for the login, and TANs represent one-time passwords to authenticate transactions. TANs can be distributed in different ways, the most popular being to send a list of TANs to the online banking user by postal letter. The most secure way of using TANs is to generate them by need using a security token. These token-generated TANs depend on the time and a unique secret, stored in the security token (this is called two-factor authentication or 2FA). Usually online banking with PIN/TAN is done via a web browser using SSL secured connections, so that there is no additional encryption needed. Signature-based online banking requires all transactions to be signed and encrypted digitally. The Keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation. In 2001 the FFIEC issued guidance for multi-factor authentication (MFA) and then required it to be in place by the end of 2006, making the implementation of MFA a requirement rather than an optional offering.
Most of the attacks on online banking used today are based on deceiving the user in order to steal login data and valid TANs. Two well-known examples for those attacks are phishing and pharming. Cross-site scripting and keylogger/Trojan horses can also be used to steal login information. A method to attack signature-based online banking methods is to manipulate the used software in a way so that correct transactions are shown on the screen and faked transactions are signed in the background.
A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first and second quarters of 2007. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.