News

If your bank wants to know the colour of your first car when you pay a bill online, it's part of a new approach to securing online banking that may also include recognizing your computer and some day, perhaps, even the way you speak or type.

It's called multi-factor authentication and is designed to verify a person's identity by more than one method so as to deliver a higher level of privacy and security assurance. With the growth of online banking — and fraud related to online banking, including phishing and pharming scams — customers and financial institutions have been united in their quest to find a solution.

But while banks in the United States had been ordered to switch to multi-factor authentication by the end of last year (approximately half met the deadline), Canadian banks have faced no such demand. Nevertheless, says a report from Boston-based research firm Celent LLC, so far, around 44 per cent of Canadian banks have multi-factor authentication in place for online banking.

So far, Canadian banks are implementing multi-factor authentication mainly for internet banking. One of the early adopters is TD Bank Financial Group, which launched EasyWeb IdentificationPlus in April. Customers are asked to choose five questions (and provide answers) from a series of lists.

Whenever a customer performs certain high-risk transactions or logs on to EasyWeb from a computer other than his or her usual one, the system poses one of the questions — such as asking for the name of your spouse's grandmother or perhaps what you studied at university.

TD knows when you log on from your usual computer because it places a web cookie on your machine, explains Alexandra Shaw, vice-president of internet banking. That provides an extra level of authentication, but if the system doesn't detect your computer, it asks a question instead.

HSBC Bank Canada introduced a similar procedure last year, but poses questions no matter which computer a customer is using. This “challenge question” method is simple, and questions are chosen so customers will remember the answers, says Shelley Maher, HSBC's vice-president of direct channels.

Royal Bank of Canada, Bank of Montreal, CIBC and ING Direct also use challenge questions.

Combining passwords with questions and/or web cookies is the most popular multi-factor authentication technique online, says Jacob Jegher, the Montreal-based senior analyst who wrote the Celent report.

Bank of Montreal also lets customers choose pictures to be displayed when they log on. “It really allows the customer to know that they are on a legitimate site and it is not a phishing site,” explains Lee Dunn, vice-president and chief security officer. ING does the same.

But while financial institutions have focused much of their attention online, they're also investing in multi-factor authentication methods that will make bank machine and phone transactions more secure. The thing is, only about 7 per cent of Canadians use the phone as their primary method of banking, versus 27 per cent for online, 29 per cent for in-person and 33 per cent for banking machines, says the Celent report.

So adding security provisions to these services hasn't been a priority.

Since it has no branches, ING Direct does more telephone banking than most. Since most people do their phone banking from their home phones, ING operators can check calling numbers against customer records, says Brenda Rideout, ING's chief information officer. That's the closest ING comes to multi-factor authentication for phone banking.

Mobile banking is in its infancy, but Mr. Jegher expects more mobile services in the next year, and says they will have multi-factor authentication from the start.

Biometrics — identification by physical characteristics like fingerprints — are popular for some multi-factor authentication but not online banking. Financial institutions use multi-factor systems including biometrics to control access to physical facilities such as computer rooms, says Matthew Bogart, vice-president of marketing at Bioscrypt Inc., a Markham, Ont., biometrics equipment maker.

Makers of automated teller machines are experimenting with fingerprint readers and software that recognizes customers' faces, Mr. Bogart says. He expects such devices will gain popularity in time.

Mr. Jegher isn't so sure. Bank machines already use two forms of authentication — the client card and personal identification number — and don't need another, he says. But he sees potential for biometrics in online and telephone banking.

Banks might install software that monitors customers' typing as they log into online banking sites, he says. Everyone's typing is distinctive, so this should warn the bank if the person at the keyboard isn't the usual customer.

For telephone banking, Mr. Jegher says some U.S. banks are testing software that identifies voices. While there have been accuracy problems in the past, he says, those have largely been resolved. The question now is whether customers are ready, and Mr. Jegher doesn't expect widespread deployment for three to five years.

Ms. Rideout says ING has tested voice identification but “the match ratios aren't as high as we would like.” The bank has also tested a biometric mouse, but ING is doubtful about physical devices because they complicate the customer experience and can be lost.

The Bank of Montreal has explored biometrics “probably for a good year now,” Ms. Dunn says, but hasn't implemented anything.