Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
Q5 – What information can you provide to the Working Group about online fraud countermeasures being considered or deployed by Australian financial institutions? How does the Australian response compare with that of other comparable countries, in your view?
There is no established industry recommendation or mandate which specifically requires Australian financial institutions to implement authentication technologies that are more advanced than the conventional username and password approach. However, several Australian banks (including Commonwealth Bank,[5] National Australia Bank,[6] Bendigo Bank,[7] ANZ,[8] Westpac[9] and HSBC[10]) have implemented some form of two-factor authentication for their Internet banking services.
However, two-factor authentication provides only minimal protection against phishing attacks.[11] For this reason, financial institutions need to consider deploying technologies that enable them to authenticate their websites to customers.
Nevertheless, there are examples of recommendations and mandates being issued in other jurisdictions regarding the use of two-factor authentication by financial institutions. These include:
- United Kingdom
APACS, the UK trade association for payments and for institutions who deliver payment services to customers, currently has 31 members whose payment traffic volumes account for 97% of the total UK payments market.[12] APACS is working with a number of UK banks on a trial to implement a form of two-factor authentication known as ‘remote card authentication’. Using this form of authentication, account holders seeking to use Internet banking services must first swipe their card through a hand-held reader provided by their bank, and then enter their PIN. Once the bank has confirmed the PIN is correct, the account holder is provided with a dynamically generated passcode which they then use to log in. It is expected the trial will commence at some stage in 2007.[13] - United States
The Federal Financial Institutions Examination Council (FFIEC) is empowered to establish principles and standards for US financial institutions.[14] In October 2005, the FFIEC released a guidance document for financial institutions regarding authentication mechanisms necessary for the verifying the identity of customers who access online financial services. The document states that financial institutions should implement effective methods of authentication that are commensurate with the risk associated with online banking. The FFIEC states that it does not consider single-factor authentication sufficient in circumstances where transactions are high-risk,[15] which would appear to cover Internet banking transactions. US financial institutions were expected to have conformed with the requirements of the guidance documents by the end of 2006.[16]
The Federal Deposit Insurance Corporation (FDIC), an independent agency of the US federal government, has also recommended that financial institutions consider deploying two-factor authentication in response to the increased incidence of online fraud.[17] - Hong Kong
In May 2005 the Hong Kong Monetary Authority, Hong Kong Police Force and Hong Kong Association of Banks jointly announced that banks would make two-factor authentication mechanisms available to customers engaging in high-risk Internet transactions.[18] - Singapore
The Monetary Authority of Singapore has released risk management guidelines for financial institutions. The guidelines advocate the use of two-factor authentication as a means of combating online fraud.[19]
[5] Woodhead B, Stronger security for Commonwealth's retail users, Australian IT, 27 March 2007, <http://australianit.news.com.au/articles/0,7204,21449009^15318^^nbv^,00.html>.
[6] National Australia Bank, SMS payment security, <http://www.nab.com.au/Personal_Finance/0,,82833,00.html>.
[7] Bendigo Bank, Bendigo e-Banking Security Tokens, <http://www.bendigobank.com.au/public/personal/e-banking_security_tokens.asp>.
[8] Carreker, ANZ Recognised for Internet Banking Security, 9 March 2007, <http://www.carreker.com/main/media/press_releases/releases2007/03-09-07-ANZ-IB-Award.htm>.
[9] Westpac, Discover a level of banking convenience you may never have thought possible..., January 2006, <http://www.westpac.com.au/manage/pdf.nsf/1FFDBA6706FA99F0CA2572A2007C30B8/$File/Token_Instruction.pdf>.
[10] HSBC, HSBC launches second factor authentication for retail customers, 25 October 2005, <http://www.hsbc.com.au/information/news/051025.html>.
[11] This is explained further in the response to Question 30, Potential Responses to Phishing Attacks and other forms of Online Fraud at page 29.
[12] <http://www.apacs.org.uk/>.
[13] APACS, Remote Card Authentication, 2005, <http://www.apacs.org.uk/payments_industry/new_technology2.html>.
[15] Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment, 2005, <http://www.ffiec.gov/pdf/authentication_guidance.pdf>, pp 4-5.
[16] Board of Governors of the Federal Reserve System, Interagency Guidance on Authentication in an Internet Banking Environment, October 13 2005, <http://www.federalreserve.gov/boarddocs/srletters/2005/sr0519.htm>.
[17] Federal Deposit Insurance Corporation, Putting an End to Account-Hijacking Identity Theft, December 14 2004, <http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html>.
[18] Hong Kong Government, Launch of Two-factor Authentication for Internet Banking, 30 May 2005, <http://www.info.gov.hk/hkma/eng/press/2005/20050530e3.htm>.
[19] Monetary Authority of Singapore, Technology Risk Management Guidelines for Financial Institutions, 11 November 2002, <http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN011549.pdf>.