Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What is the best authentication method for protecting an online banking site?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What is the best authentication method for protecting an online banking site?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 17 September 2006
I'm researching authentication methods, trying to determine the right method for allowing customers to make payments online. Which, in your opinion, is best?

>
EXPERT RESPONSE
It sounds like you're trying to strengthen your authentication method for online banking to comply with the Federal Financial Institutions Examination Council (FFIEC) guidance.

The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.

But two-factor authentication isn't always the best approach.

To summarize briefly, there are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.

The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.

For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.

But both options present problems. First, both require substantial investment in software and hardware to deploy, and they will require ongoing maintenance after that. Second, OTP tokens aren't foolproof. They're susceptible to man-in-the-middle (MITM) attacks, and can sometimes still be circumvented by phishing. Biometrics, on the other hand, despite becoming more lightweight and consumer-friendly, are still difficult for customers to accept.

Before undertaking any of these deployments, do a thorough risk analysis of your online payment system. What types of payments can be made online? Can the Web site only be used to pay bills for a single account, as for a single merchant or credit card, or can money be sent to third parties? Are there limits to the amount of money that can be transferred online?

If the risks are low, as in a single merchant site where only payments can be made, then using user IDs, passwords and SSL would sufficiently protect your site. However, if the risk is greater, as it is with money transfers, consider two-factor authentication, or fraud-monitoring systems.

Fraud-monitoring systems are transparent to the user, work behind the scenes and still allow the customer-friendly features of user IDs and passwords. They can be integrated into your existing Web site with minimal development and less overhead than two-factor authentication systems.

For more information:

  • Visit SearchSecurity.com's Identity and Access Management Security School, and learn how to create an effective identity and access mangement plan.
  • Understand authentication options.

    		•

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    Should a new user have to confirm his or her email address before gaining access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token, and in a vendor?
    Is it possible to write a batch file that allows user access to the local admin group for a short time?
    IAM best practices for employees with varying degrees of access to the same computer
    What are some good pre-boot biometric user authentication tools or strategies?
    If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
    How does the Group Policy Object interact with the 'Password Never Expires' flag?
    How do RFID-blocking passport wallets work?
    What are the benefits of identity managed as a service?

    Tokens and Smart Cards
    Hackers can target embedded smart card chips
    What should an enterprise look for in a password token, and in a vendor?
    If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
    What are good features to look for when searching for new access control software?
    Product review: Secure Computing SafeWord 2008
    Video: Changes ahead for MIT Kerberos Consortium
    Kerberos: Authentication with some drawbacks
    What techniques are being used to hack smart cards?
    What are the dangers of using radio frequency identification (RFID) tags?
    How to prevent hack attacks against smart card systems.

    FFIEC
    Understanding multifactor authentication features in IAM suites
    Compliance drives credit union to catch online bill payment fraudsters
    The road to compliance
    At RSA, feds seek help to close widening cybersecurity gaps
    TJX should have had stronger Wi-Fi encryption, say Canadian officials

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts