The FBI recently reported that the surge of Automated Clearing House (ACH) fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses. As these losses have been discovered and the online security practices at the banks or credit unions in question are examined, it has become apparent that there is cause for concern in the way multi-factor authentication schemes are implemented.

In 2005, the Federal Financial Institutions Examination Council issued regulations requiring all financial institutions to implement multi-factor authentication to protect customers’ online accounts. In this document, the FFIEC defines multi-factor authentication as:

Existing authentication methodologies involve three basic “factors”:

• Something the user knows (e.g., password, PIN);

• Something the user has (e.g., ATM card, smart card); and

• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents.

Both the customer’s username/password combination and his email account information are “something you know” since most people protect their email account with a username and password also. Therefore, sending a one-time pass code to an email account is effectively still single-factor authentication. This is especially true of email accounts hosted and available directly over the Internet, as opposed to those protected by a firewall or VPN. Alternatively, true second factor authentication uses an “out-of-band” device like the user’s cell phone or office phone to transmit the one-time pass code. This incorporates both the first factor (the user’s online bank account ID and password) and a second factor of “something you have” which is the pre-registered cell or office phone. 

Many financial institutions are implementing multiple instances of single-factor authentication and self-defining that as multi-factor authentication. Even with some form of identity verification (i.e., questions about mother’s maiden name or account balances), these practices are not enough to deter cyber thefts. In fact, reports of hack attempts have shown that personal information such as mother’s maiden name and other historically private demographic data can be easily found through simple online searches and used to circumvent security on an account.

Additionally, the methods used by many institutions to handle customers’ password reset requests have proven to be problematic. As we learned from recent news surrounding large Web-based mail providers, sending a link to an alternative e-mail account (with a hint on the Password help page about which account is used) or requesting the answer to a single secret question are not sufficiently secure procedures. The recent analysis of RockYou password files shows that weak passwords can be easily guessed to gain access to email accounts and thus any one-time pass codes sent to those accounts. Security can also be compromised through the traditional methods of phishing or Trojan horses, especially on customers’ personal computers where financial institutions have no control over the security of the machine. 

These issues point to the critical need for best practices in security and defense-in-depth through the use of strong passwords and true two-factor authentication. Cost effective solutions for true two-factor authentication are immediately available in the market and add little overhead to the end user transaction.