Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What is the best authentication method for protecting an online banking site?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What is the best authentication method for protecting an online banking site?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 17 September 2006
I'm researching authentication methods, trying to determine the right method for allowing customers to make payments online. Which, in your opinion, is best?

>
It sounds like you're trying to strengthen your authentication method for online banking to comply with the Federal Financial Institutions Examination Council (FFIEC) guidance.

The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.

But two-factor authentication isn't always the best approach.

To summarize briefly, there are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.

The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.

For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.

But both options present problems. First, both require substantial investment in software and hardware to deploy, and they will require ongoing maintenance after that. Second, OTP tokens aren't foolproof. They're susceptible to man-in-the-middle (MITM) attacks, and can sometimes still be circumvented by phishing. Biometrics, on the other hand, despite becoming more lightweight and consumer-friendly, are still difficult for customers to accept.

Before undertaking any of these deployments, do a thorough risk analysis of your online payment system. What types of payments can be made online? Can the Web site only be used to pay bills for a single account, as for a single merchant or credit card, or can money be sent to third parties? Are there limits to the amount of money that can be transferred online?

If the risks are low, as in a single merchant site where only payments can be made, then using user IDs, passwords and SSL would sufficiently protect your site. However, if the risk is greater, as it is with money transfers, consider two-factor authentication, or fraud-monitoring systems.

Fraud-monitoring systems are transparent to the user, work behind the scenes and still allow the customer-friendly features of user IDs and passwords. They can be integrated into your existing Web site with minimal development and less overhead than two-factor authentication systems.

For more information:

  • Visit SearchSecurity.com's Identity and Access Management Security School, and learn how to create an effective identity and access mangement plan.
  • Understand authentication options.

    		•

    BROWSE BY TAG
    Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Security Audit, Compliance and Standards,   FFIEC Regulations and Guidelines,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Security Token and Smart Card Technology
    First Data, RSA push tokenization for payment processing
    How to log in to multiple servers with federated single sign-on (SSO)
    Best Authentication Products
    Are 'strong authentication' methods strong enough for compliance?
    Risk management must include physical-logical security convergence
    RSA researcher Ari Juels: RFID tags may be easily hacked
    Portable security storage device could replace OTP devices
    Can you combine RFID tag technology with GPS to track stolen goods?
    Security token and smart card authentication
    Embedded smart card chips are open to hack attacks

    FFIEC Regulations and Guidelines
    FTC Red Flags Rules: How to create an identity theft prevention plan
    Protecting data in a merger and acquisition
    This May Day, banks wave the Red Flags
    IT security pros face challenge during economic crisis
    Understanding multifactor authentication features in IAM suites
    Compliance drives credit union to catch online bill payment fraudsters
    The road to compliance
    At RSA, feds seek help to close widening cybersecurity gaps
    TJX should have had stronger Wi-Fi encryption, say Canadian officials
    Interview: FDIC director explains FFIEC standard

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts