RaboDirect, which has just come to the Irish market, has brought a more sophisticated authentication process to our shores, writes Laura Slattery
Keystroke loggers have got fraud sussed. No need to lurk around ATMs, "shoulder surfing" the innocent as they key in their personal identification numbers (Pins), then physically snatch the card. All they have to do is deploy viruses called trojans to infiltrate your computer and record every key you press as you enter your online bank account or make a credit card payment.
Fraudsters can then pilfer your finances while you remain completely unaware that you are being spied on.
This relatively new type of account fraud is on the rise, which could understandably make anyone who has ever shunned a branch queue in favour of a clean internet transaction a little jumpy.
But the spectre of keystroke logging won't trouble customers of RaboDirect.ie, a new online bank launched in the Republic this week. This is because RaboDirect has brought to our shores more sophisticated identity authentication procedures than those currently used by Irish banks.
RaboDirect.ie is part of Europe's largest internet bank, the Dutch-based Rabobank. It demands "two-factor authentication" - a procedure based on something you have and something you know.
The something you know is your username and your Pin. The something you have is a small device called a Digipass, developed by a company called Vasco, which looks unassumingly like a tiny calculator. These "tokens" are sent out to customers when they open a RaboDirect account.
When they want to login or make a transaction, customers enter their user number into the required space on RaboDirect's site. But instead of inputting their five-digit Pin online, they key it into the Digipass. The device generates a six-digit unique code that remains valid for just 36 seconds, in which time the user enters it online. Even if trojans are logging their keystrokes, the code will have expired by the time fraudsters can do anything.
Two-factor authentication isn't new. Vasco's systems are used by 350 international financial institutions as well as blue-chips and governments in 80 countries. But none of the major banks here use it.
On a typical login, a bank will ask for a registration code. It will then ask for a different sequence of digits from the Pin each time, making it that bit harder for keystroke loggers. The third question, perhaps relating to work, home or mobile phone numbers, also has varying answers.
"It's similar to lottery numbers, the more permutations you have, the harder it is [ for fraudsters to crack]," says Derek Powell, business development manager for security firm Unit 4. "But there's only X number of combinations. It's good, there's a triple layer in there, but it isn't foolproof. Two-factor authentication is a hell of a lot stronger."
It "absolutely makes sense" for AIB, Bank of Ireland et al to make the move, Powell adds.
"Our view is that they wouldn't have any choice really," says John Ryan, operations director of security specialists Entropy.
Up to now the transactions allowed have been quite captive, he notes. Transfers out of accounts are usually limited to utility firms or accounts within the same bank. To do anything more complicated, you need to phone the bank and set up a standing order. If the banks were to allow instant transfers from the account to another institution, as RaboDirect does, it would increase the risk of money being siphoned off into some unknown black hole.
Two-factor authentication also prevents phishing - a common but relatively simplistic scam where consumers are duped into revealing security details by fake e-mails purporting to be from the bank or credit card provider.
But two-factor authentication can be a costly administrative headache.
Dishing out tokens to customers could cost €50 per person, Ryan estimates, and then there's the hassle of replacing lost ones. RaboDirect offloads this cost somewhat by charging a replacement fee of €15 "if your dog eats it or you lose it down the back of the sofa too many times".
There are alternatives to Vasco's Digipass. Rival firm RSA produces tokens that hang off a keyring and generate a new code every 60 seconds, without the need to enter a Pin.
Meanwhile, a company called Entrust produces a Battleships-style grid, where users are asked to enter the numbers contained in different squares: A1, G2, E4 etc. The grid is not electronic and can be printed on a wallet-sized card, making it "obviously a lot less costly".
Another system developed by Swivel allows unique codes to be sent to customers' mobile phones by SMS, which might be appealing to Irish banks due to the high penetration of mobile phones here, says Ryan.
"It will send you a new code as soon as you use one up, so you wouldn't have to be in coverage. And if you get all these text messages and you're not logging on, you can tell if someone is hacking into your account," he says.
Digital certificates can also be used, but biometrics are the ultimate second-factor authentication. Eventually, consumers may have to offer up their fingerprints or their irises for scanning in order to get into their bank accounts as well as through US customs.
Internet banking users can probably afford to relax for the moment, however. Banks tend to quietly cover fraud losses in order to prevent thousands of customers from logging off permanently.
But whether they will be happy to shoulder the liability forever, nobody knows. There is a subtle difference, Ryan argues, between voluntarily covering losses in order to protect a fledgling brand and coughing up in the event of a major fraud.
"Bank customers would have to look seriously at the contract they are signing to see who is carrying the risk."
Powell believes that users will soon be legally obliged to have proper firewalls and anti-virus software installed on their computers.
In the meantime, stupidity never helps.
"Where two-factor authentication has been introduced, there has been problems with non-IT literate people," says Powell. "They will write their Pin on the back of the token, which is great for remembering, but it does render the object of the exercise useless."
