Authentication Tools for Business eBanking: the Good, the Bad, the Necessary

It may seem tedious, but verifying your identity when banking online, our Cash Management Experts agree, is a crucial security measure for any business. Below, we outline the good, the bad, and the necessary when it comes to authentication protocols and layered security controls that better detect and prevent online banking fraud.

What is Authentication?

Authentication describes the process of verifying the identity of a user when logging in to an online banking session. Typically, the user initially provides valid identification information and later matches one or more authentication credentials—something the user is, has or knows—to prove his identity. 

Authentication methods are numerous, ranging from simple to complex, single-factor to multi-factor, and include security tokens and out-of-band authentication (OOBA).

Security Tokens

Tokens, akin to electronic keys, are pocket-sized devices that either connect to your computer (USB tokens plug directly into the USB port and Smart Cards are inserted into an attached card reader) or generate a one-time password (OTP) every 30-60 seconds that must be entered into the login screen. They are considered a multi-factor authentication technique because they verify the user’s identity using two factors.

In the case of USB tokens and Smart Cards, the device must first be recognized (first factor) before the user is prompted to log in to the banking portal (second factor). With password-generating tokens, you must enter your username and password (first factor) and then the OTP generated by the token (second factor).        

The Good: Small, durable, and easy to carry, tokens are extremely user-friendly.  Because they’re tamper-resistant, time-sensitive/synchronous, and hard to duplicate, they prove to be a secure storage device for personal information. They can also save digital certificates that can be used in a public key infrastructure (PKI) environment. 

     
The Bad: You must have access to the token whenever you want to log in to your online bank accounts from a remote location. Smart Cards also require an additional card reader attached to the computer and the compatible software. Even though their small size enhances tokens’ portability and usability, it makes them easier to lose.    

Out-of-Band Authentication

When a user’s login attempt or transaction initiation seems suspicious or risky, deviating from the normal processing environment or transaction history (e.g. an unrecognized computer or connection, upgrades, an unusual geographic location, changed computer settings, high or unusual wire or ACH amounts, etc.), out-of-band authentication requires you to identify yourself via another channel:

• Phone Call- You first select a phone number from the list on record with your bank (this may include work lines and mobile numbers). You will then receive an automated phone call containing the code that must be entered into the login screen on your computer. For non-direct dial extensions, you can program a number of control codes to accommodate your phone system’s setup (pound, star, short pause, long pause, etc.).
• Text Message- You will have the option to select a mobile phone number or enter one (it must match a number already on file) before receiving a text message containing the security code.  You must enter the code in the login screen before proceeding.  
• App Notification- This is a very recent innovation, which offers push button authentication with direct access to a security platform that communicates with the Internet banking application.  

The Good:  Even if criminals acquire your personal information through keystroke logging software, phishing or background checks, they cannot hack your accounts without access to your phone.

The phone works particularly well as an out-of-band channel because it can record the call, the number dialed and answered, time stamps from the telephone service provider, and real-time voice biometric comparison. 

Out-of-band authentication is simple, easy to use, and doesn’t require additional training or installation of hardware.         

The Bad: Frequent out-of-band authentication can sometimes be monotonous and aggravating, but you can take steps to ensure the system better recognizes the difference between legitimate and fraudulent activity. Make sure your computer allows Third-Party Cookies, Javascript, Flash, Silverlight, and a modern browser set to load images automatically, remember history, and save cookies on exit. 

The Necessary

With fraudsters finding increasingly clever ways to hack into bank accounts, online criminal activity has become pervasive. Business owners can find themselves plagued with misappropriated funds, drained accounts, and fraudulent wire and ACH transfers.

In an online environment like that, multi-factor authentication, layered security controls, and annual risk assessments are becoming more essential than ever. Tokens and out-of-band authentication significantly reduce the chances of cybercriminals hijacking your accounts because most lack the time, resources, and technical sophistication to outmaneuver these security measures.

Tokens and out-of-band authentication: the necessary.          

Authentication for Your Business

How do you know which authentication tools are right for your business? Your bank will assess the risk associated with your account—considering your industry, transactional capabilities, sensitivity of information, access to technology, and transaction volume—and suggest the authentication methods best suited to your needs.   

Contact your financial institution’s Cash Management Department to learn more about tokens, out-of-band authentication, and safeguarding your confidential information!