Most New Zealand banks looking at two-factor authentication as a way of providing higher levels of security to their online banking customers.
But one New Zealand company says the banks have misappropriated the term “two-factor authentication” and, far from offering greater levels of security, are merely paying lip-service to the problem.
True two-factor authentication, argues Tony van Praag of Ezikey, is made up of “something you know and something you don’t know”.
Several New Zealand banks are issuing online bank customers with tokens, devices that continually update with random numbers that will confirm the token holder is also the account holder. However, van Praag says “These don’t deliver true two-factor authentication because you can still be fooled into giving out the information.”
Because the tokens are only required for transfers of money that exceed a certain limit, they don’t offer any protection at all for the account itself, he says.
“So, if I can get your account details I can log on and then watch your activity over a period of days, gathering information.” Then, he says, a phone call to the account holder could be made as a kind of verbal phishing attack.
“I could then ring you up and say, ‘It’s your bank here. We’ve noticed something strange with your account. You have two accounts with us and regularly transfer x number of dollars between them. You also have several automatic payments set up, is that correct?” Van Praag plays the part of a concerned bank official well, and with that level of knowledge about a customer’s account details he would easily convince any but the most hardened of bank customers.
“Then I would say something like, ‘We’ve noticed that you’ve transferred $50,000 offshore and that’s not consistent with your profile. Did you authorise this transaction?’ You’ll fly into a panic and declare that no, you did not. At which point I will be soothing and say, ‘We’ve stopped the transaction, now I just need you to authenticate with your token.” That, says van Praag, is all that’s needed to empty the bank account and make off with the money.
“Tokens do nothing to stop this and they don’t pretend to. Our solution will stop that because it is true two-factor authentication.” Van Praag wouldn’t go into detail about how Ezikey’s solution works, as he says the company is seeking patents on its work before releasing any details. However, he says the company has been in talks with several banks that are very keen on the idea.
“It’s cheaper than issuing tokens by far — roughly 20% of the cost — and you don’t end up with the ‘token necklace’, with a different token for each bank,” he says.
Ezikey’s solution is an “active identity card” which fits into a wallet, works with both Windows and Apple software, and protects against social engineering attacks like the one above, he says.
“It’s really the next generation of security of online banking.”
Van Praag hopes to be able to reveal more detail in the next few weeks.