Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:22 PM
Connect Directly

No Static at All

One-time passwords mitigate online banking security risks.

Rabobank (The Netherlands; about $500 billion in assets) has 2.5 million Internet banking customers, and not one of them has fallen victim to the common methods used to steal passwords. That's because Rabobank's online customers use one-time passwords, or "tokens," generated by a portable smart card reader from Vasco (Wemmel, Belgium and Westborough, Mass.). "Security is a critical part of Internet banking," says Bert Willems, project manager for authentication services at Rabobank.

Static passwords can be stolen using phishing e-mails or a keystroke logger computer virus. By contrast, one-time password tokens are generated using a time-sensitive algorithm in synchronization with a bank's server. Thus, even if someone were to obtain the one-time password, it would have to be used immediately to perpetrate a fraud and preempt the user's own access attempt.

Vasco has more than 300 banking clients with almost 12 million customers, and Fremont, Calif.-based ActivCard has 3.5 million users of its token solution at European banks. In the U.S., tokens have been used to access corporate networks, cash management systems and online banking for high-net-worth individuals. But, for the technology to make the jump to the domestic retail banking market, U.S. banks first would have to change their tune.

Since banks have no direct hand in most of the interactions between victim and criminal, the prevailing attitude in the U.S. has been that "phishing is not my problem," says Bill Bradway, group VP, retail financial services, Financial Insights (Framingham, Mass.). Retail customers, however, think differently. "Customers actually feel that the institution should be the one protecting them," says Bradway. Still, "There would have to be a lot of pain to force [banks] to use a one-time token."

That "pain" could take the form of regulations, increasing fraud losses, abandonment of the online channel or the loss of market share to competitors that offer tighter online security. But early adopters would bear the brunt of higher unit costs. "You've got a retail bank customer and you're making $250 a year [on that person]," says Mark Griffiths, VP, authentication services, VeriSign Security Services (Mountain View, Calif.). "Do you want to send him a $45 token?"

To mitigate the expense, organizations such as the Liberty Alliance Project and the VeriSign-led initiative for Open Authentication (OATH) are positioning themselves to operate a shared-service model, by which one device could generate passwords for several online services. Banks, however, "might not be so willing to allow customers from other banks to use their tokens," says Jochem Binst, director of corporate communications for Vasco.

But consumers won't likely carry multiple devices, which is why the industry is watching Internet service provider AOL's recent launch of a token-based security offering [see article, page 64]."The key thing is," says John Worrall, VP of worldwide marketing, RSA Security (Bedford, Mass.), "who will the banks trust?"

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.