If your bank wants to know the colour of your first car when you pay a bill online, it's part of a new approach to securing online banking that may also include recognizing your computer and, some day perhaps, even the way you speak or type.
It's called multifactor authentication and is designed to verify a person's identity by more than one method so as to deliver a higher level of privacy and security assurance. With the growth of online banking - and fraud related to online banking, including phishing and pharming scams - customers and financial institutions have been united in their quest to find a solution.
But while U.S. banks had been ordered to switch to multifactor authentication by the end of last year (half met the deadline), Canadian banks have faced no such demand. Nevertheless, says a report from Boston-based researcher Celent, about 44 per cent of Canadian banks already have multifactor authentication in place for online banking.
One of the early adopters is Toronto-Dominion Bank, which launched EasyWeb IdentificationPlus in April. Customers are asked to choose five questions (and provide answers) from a series of lists.
Whenever a customer performs certain high-risk transactions or logs onto EasyWeb from a computer other than his or her usual one, the system poses one of the questions - such as asking for the name of your grandmother or perhaps what you studied at university.
TD knows when you log on from your usual computer because it places a Web "cookie" on your machine, explains Alexandra Shaw, vice-president of Internet banking. If the system doesn't detect your computer, it asks a question.
HSBC Bank Canada introduced a similar procedure last year, but poses questions no matter which computer a customer is using. This "challenge question" method is simple, and questions are chosen so that customers will remember the answers, says Shelley Maher, HSBC's vice-president of direct channels.
Royal Bank of Canada, Bank of Montreal, Canadian Imperial Bank of Commerce and ING Direct also use such questions.
Combining passwords with questions or Web cookies is the most popular multifactor authentication technique online, says Jacob Jegher, the Montreal-based senior analyst who wrote the Celent report.
But while financial institutions have focused much of their attention online, they're also investing in multifactor authentication methods that will make bank machine and phone transactions more secure. The thing is, only about 7 per cent of Canadians use the phone as their primary method of banking, versus 27 per cent for online, the Celent report says. So adding security provisions to this service hasn't been a priority.
Since it has no branches, ING Direct does more telephone banking than most. Since most people do their phone banking from their home phones, ING operators can check calling numbers against customer records, says Brenda Rideout, ING's chief information officer. That's the closest ING comes to multifactor authentication for phone banking.
Biometrics - identification by physical characteristics such as fingerprints - are popular for some multifactor authentication but not online banking. Financial institutions use multifactor systems including biometrics to control access to physical facilities such as computer rooms, says Matthew Bogart, vice-president of marketing at Bioscrypt Inc., a Markham, Ont., biometrics equipment maker. Makers of automated banking machines are experimenting with fingerprint readers and software that recognizes customers' faces, Mr. Bogart says. He expects such devices will gain popularity in time.
Mr. Jegher isn't so sure. Bank machines already use two forms of authentication - the client card and personal identification number - and don't need another, he says. But he sees potential for biometrics in online and telephone banking.
Mr. Jegher says some U.S. banks are testing software that identifies voices. Ms. Rideout says ING has tested voice identification but "the match ratios aren't as high as we would like."
BMO has explored biometrics "probably for a good year now," says Lee Dunn, vice-president and chief security officer, but hasn't implemented anything.