Why endpoint security in banking has only just begun

The CIO of ING Direct Canada and Info-Tech Research discuss the limits of two-factor authentication and why the Internet remains an area of risk for financial institutions

Share this article:

Banks have had a harder time creating a secure Internet banking environment for consumers than they had building vaults and hiring armoured cars to deliver cash. Their own IT security infrastructure is often world-class, yet their clients are constantly a security liability. People use their birthdays as PINs, give their credit card numbers to dubious companies online, and use privately owned ATMs where a “man in the middle” could be waiting to steal their information.

It’s true that better fraud detection systems are now in place and are being automated. They report suspicious transactions and will completely block access to an account when a consumer appears to have spent the morning buying both hardware in Toronto and fashion accessories in Paris. But these are responses to the rampant problems of skimming and spyware, not preventative measures.

Effective endpoint security continues to be the sticking point. James McCloskey, a senior research analyst at Info-Tech Research Group, notes that banks rely on “two-factor”authentication; for example, demanding a password plus the answer to a personal question to access an account. While it’s a good security practice in principle, he says it can be exploited by determined hackers due to the small pool of questions users have established for themselves.

“The keystroke logger can get that ‘second factor,’ if you will, which is simply an answer to a question which stays static,”says McCloskey. “Just because there may be five or seven question doesn’t really give enough of what we call ‘entropy’…that would be a detriment to the keystroke logger.”

As such, some banks are now moving towards developing “true” multi-factor authentication, notably in the mobile arena, where the devices themselves are secured via a PIN, for instance. “That’s not something that can be easily spoofed,” he says.

Charaka Kithulegoda, CIO of ING Direct Canada, says as a bank that does business primarily online, IT security is of paramount concern at his organization. Deploying the infrastructure itself is the easy part. More difficult is getting the end-users to play their part. “The issue that I think everybody faces is changing consumer behaviour,” he says.

The dilemma facing banks is that today’s consumers aren’t willing to jump through hoops to get to their banking. They want security, but they also want their interactions to be quick and painless. On the bank’s side of things, “you have to work really hard to put simple and secure together,” says Kithulegoda .

Good endpoint security must be simple, though, he says. Otherwise, users will find ways to render it easier to use and invariably less secure (writing down passwords, for example), or find ways to bypass it.

“We totally agree that in today’s…second-factor authentication, there is a lot of room for improvement. So, for example, what we are saying is instead of getting somebody to install something on their machine and sort of increase barriers to security, why not take advantage of what the devices and customer behaviours offer us?”

Kithulegoda sees “many opportunities” to increase mobile banking security from this perspective, and ING is now running several relevant pilot projects. They include biometric fingeprint scanning, voice recognition, and face recognition technologies. All allow for a quick, “seamless experience” for the user, he says.

“You can put the best security procedure in place,” he adds. But “if your customer’s not going to use it, I would question the value of it.”

Get more insight into protecting customer data by downloading ‘The Internet Security eBook: A Self-Assessment Guide,’ from Allstream. 

Image courtesy of Graeme Weatherston at FreeDigitalPhotos.net

Share this article:


  1. If ING is so concerned about online security, why to they restrict my password to six or eight digits? No alpha, No punctuation, nothing that other companies use. They have a lot of work to do yet.

    Gordon Hewit / 9 years ago
    • I’m inclined to agree, but what I’d like to see more of is much-increased password lengths, personally. Regardless of punctuation and special charcters, a passphrase (e.g., “banks use self-adhesive envelopes for ATM deposits”) is very secure from brute force attacks and is much easier to remember than a randomly generated potpourri of letters, numbers and characters.

      Brian Bloom / 9 years ago