Arrehed comments: Having had the pleasure to work with banks around the world to help them design and implement security solutions for their online banking systems, my colleagues and I have learned a few things about what to do to deliver secure yet user friendly solutions.
For starters, as long as it makes customers feel secure and enables them to access more (preferably all) banking services online, its okay to trade off a small amount of convenience in the user login experience.
Arrehed provides suggestions on how to use advanced security technologies of today to build an online banking system that offers strong security, whilst maintaining high convenience and access to as many services as you want to make available:
- At the time of log in, let customers choose which authentication method to use based on what they intend to use the service for.
- Give customers the option to configure their own security levels.
- Let customers decide which type of device to connect from.
- Integrate the online banking system and its security with your other operations to give customers a consistent sense of your approach to security.
- Let customers use the same security credential as they use for online banking when they access other bank services.
- Give customers good support the way they want it. Through FAQ on the website, online chat, telephone, email, face to face or by letter.
One typical misconception in online banking is that security begins and ends with securely authenticating account access.
Thats not the way I have learnt to look at it. The real risk for online banking customers is that someone steals money from their accounts. It therefore makes a lot of sense to focus more on ways to secure the actual money transfers than just the access to the service, continues Arrehed.
Based on his experience with successful online banks, Arrehed says banks have done just that and he shares a few recommendations they gave:
- Make it as easy as possible. Only ask for transaction signing when money is transferred to accounts other than the customers own accounts and allow transactions to be batched.
- Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing.
- Make sure that it is clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks which is particularly important now given the recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by our web browsers.
- Store the transaction data including the customers electronic signature in a secure tamper-evident audit database for archiving purposes. It can be very useful to be able to prove that a money transfer was correctly carried out and approved many years after it happened.
Arrehed concludes: Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, therefore needs to be specifically defined to meet those needs.