Saturday, May 19, 2007

Internal controls as important as front-line security

The Bankwatch blog has a quick note on how two-factor authentication and token are perceived as being synonymous, when in fact technology such as PassMark can provide the required second form of authentication required to really judge the authenticity of a person performing a transaction.

Even better though, the post points to an easy to read paper by Ross Anderson, Professor of Security Engineering at Cambridge University. This talks not only about the different types of scams, like Phishing, but the importance of internal controls within financial services organizations that front end technical security supplements.

Everyone that uses online banking sites understands the importance banks place on knowing the true identity of customers. Third-party authentication is the primary means to achieve this with a new customer, by using trusted third-party identification (e.g. government issued ID and credit checks), before issuing a customer credentials (username and password) to use the site. Primary authentication (a customer's new credentials and a second factor of authentication) is used to ensure it is really the person that claims to be the customer making a transaction.

These forms of authentication are the first line of defense and it seems that those banks with poor internal controls typically become the focus for online fraud. Since there is a much lower risk to the criminal that the bank will either notice a problem or be able to recover assets, this makes the effort to get around the primary security more likely to be rewarding. Cyber-crime moves to the easiest target. And when this becomes newsworthy, customers get the impression that their investment is not being well protected. Brand damage is a high price to pay when people trust you with their money.

Technorati tags:

A post from the Improving New Account Opening blog

No comments: