Network World has a piece today about a credit union in California offering two factor authentication to its customers:
The credit union is encouraging customers to switch from simple password authentication to the far stronger two-factor authentication, which makes use of VeriSign’s handheld token to generate a one-time password. In addition, VeriSign offers applications for the Blackberry or iPhone that can be downloaded to these mobile devices and used to turn a smart phone into a variable-password generator.
Cool – I like to see businesses “encouraging” customers to use stronger security, since it will reduce the business’s fraud costs, make the customers happier – great business payback. However, later on the piece defines how the credit union will “encourage” customers:
The credit union, which has 150,000 members, many of them associated with the high-tech industry, will launch the service for free in the roll-out phase but will likely charge for the service down the road. For those using the stronger two-factor authentication, an annual fee of $10 for the service is anticipated, plus $10 for a handheld token. The iPhone and Blackberry applications are available for free.
OK, this is yet another one of those announcements of strong authentication that will go nowhere – there have been dozens of identical ones over the past 10 years that came and went. Charging your customers to use a less convenient means of authenticating in order to make their dealings with you more secure is an asinine business strategy. Imagine if WalMart charged customers $10 a year at their stores in order to pay for the surveillance cameras they use to catch shoplifters. That’s a cost of doing business that gets factored in to any business’s prices, not charged as a user fee. I know, let’s charge customers a $1 fee to remove the magnetic thingie from the expensive jackets. Or maybe the new GM will charge a $10/year fee for the airbags to open.
At least don’t charge the yearly fee for those who use the iPhone or Blackberry app – the consumer token approach isn’t going to go anywhere, anyway. But the cellphone as token approach has a chance – and the business costs of implementing it are less than the number of password theft incident costs that it will avoid.
3 responses so far ↓
1 Marc Dierens // Jul 29, 2009 at 10:33 am
Agree, here in Belgium most of the banks have adopted this system as a default one, so we have no choice but to use the token. So far we have not yet had to put up some money, but who knows what will happen in the future.
Shouldn’t this bank give the users the token as only option? It would seem that the security of the system without token does not give enough security to be confident in using the system in the first place?
2 John Pescatore // Jul 31, 2009 at 6:52 am
I agree – for something as sensitive as online banking and with the risk of phishing rampant, strong authentication should be the only form offered. I think the text message to cellphone approach (plus a PIN) is good enough – tokens don’t necessarily have to be required but could be offered for those who don’t have mobiles or don’t like to text or whatever.
3 Scott Olson // Jul 31, 2009 at 10:32 am
I couldn’t agree with you more. I have the Verisign iPhone token for my PayPal and eBay accounts and have been trying to get my bank to offer that as an authentication mechanism for online banking with no success. It is in the bank’s best interest to protect their customers and encourage them to use online banking, which saves the bank far more per year than their measly $10.
I saw a report from Black Hat yesterday discussing the latest trojan Clampi, which is targeting online banking accounts, and the conclusion of the report was to use a completely separate PC solely for online banking. It’s ridiculous. Multi-factor authentication should be a minimum bar of security for online banking and brokerages. I hope some of these institutions can get that through their heads.
Leave a Comment