Rabobank (The Netherlands; about $500 billion in assets) has 2.5 million Internet banking customers, and not one of them has fallen victim to the common methods used to steal passwords. That's because Rabobank's online customers use one-time passwords, or "tokens," generated by a portable smart card reader from Vasco (Wemmel, Belgium and Westborough, Mass.). "Security is a critical part of Internet banking," says Bert Willems, project manager for authentication services at Rabobank.
Static passwords can be stolen using phishing e-mails or a keystroke logger computer virus. By contrast, one-time password tokens are generated using a time-sensitive algorithm in synchronization with a bank's server. Thus, even if someone were to obtain the one-time password, it would have to be used immediately to perpetrate a fraud and preempt the user's own access attempt.
Vasco has more than 300 banking clients with almost 12 million customers, and Fremont, Calif.-based ActivCard has 3.5 million users of its token solution at European banks. In the U.S., tokens have been used to access corporate networks, cash management systems and online banking for high-net-worth individuals. But, for the technology to make the jump to the domestic retail banking market, U.S. banks first would have to change their tune.
Since banks have no direct hand in most of the interactions between victim and criminal, the prevailing attitude in the U.S. has been that "phishing is not my problem," says Bill Bradway, group VP, retail financial services, Financial Insights (Framingham, Mass.). Retail customers, however, think differently. "Customers actually feel that the institution should be the one protecting them," says Bradway. Still, "There would have to be a lot of pain to force [banks] to use a one-time token."
That "pain" could take the form of regulations, increasing fraud losses, abandonment of the online channel or the loss of market share to competitors that offer tighter online security. But early adopters would bear the brunt of higher unit costs. "You've got a retail bank customer and you're making $250 a year [on that person]," says Mark Griffiths, VP, authentication services, VeriSign Security Services (Mountain View, Calif.). "Do you want to send him a $45 token?"
To mitigate the expense, organizations such as the Liberty Alliance Project and the VeriSign-led initiative for Open Authentication (OATH) are positioning themselves to operate a shared-service model, by which one device could generate passwords for several online services. Banks, however, "might not be so willing to allow customers from other banks to use their tokens," says Jochem Binst, director of corporate communications for Vasco.
But consumers won't likely carry multiple devices, which is why the industry is watching Internet service provider AOL's recent launch of a token-based security offering [see article, page 64]."The key thing is," says John Worrall, VP of worldwide marketing, RSA Security (Bedford, Mass.), "who will the banks trust?"