Two-Factor Authentication with Cell Phones
Here’s a good idea:
ASB and Bank Direct’s internet banking customers will need to have their cellphone close to hand if they want to use the net to transfer more than $2500 into another account from December.
ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a “two factor authentication” system to shut out online fraudsters, unveiling details of the service on Friday.
After logging on to internet banking, customers who want to remit more than $2500 into a third party account will receive an eight-digit text message to their cellphone, which they will need to enter online within three minutes to complete the transaction.
It’s more secure than a simple username and password. It’s easy to implement, with no extra hardware required (assuming your customers already have cellphones). It’s easy for the customers to understand and to do. What’s not to like?
Fuzzy • November 23, 2004 10:25 AM
I realize that the question “What’s not to like” was meant to be rhetorical, but actually there are a few things.
#1 – This requires you to divulge your cellular phone number to your bank. Who can then use/sell or otherwise dispose of the information. Bad for privacy.
#2 – There is no information on how the bank obtains the phone number. It may well be possible to change the phone number online. If so, the potential for fraud is lessened but hardly removed. The person attempting the fraud changes the phone number and then makes the transaction (and then potentially changes the phone number back).
#3 – It is not clear to me how much fraud this will catch. What percentage of fraudulent orders are over $2500? No more ordering $3000 laptops but a $2400 one will slip right past.
#4 – Assuming the fraud is connected to a credit card theft (as opposed to a credit number list purchased from the Internet), this now provides an additional incentive to steal the mobile phone (a popular target for theft in the first place).
#5 – For convenience, multipurpose devices are good. In my limited opinion, they not necessarily good. Single task devices can be better.