Security in Online Banking (Strategic Focus)

Table of Contents

OVERVIEW

• Catalyst
• Summary

KEY MESSAGES

• Online banking has grown, as has the range of things that customers are doing online
• Banks are increasing IT spend on online services and online security this year
• There are opportunities in client-side and back-end authentication technologies
• The US has a broader definition of 2FA/MFA than Europe
• Mobile phones are gaining traction as a channel for delivering a second factor
• A tiered approach to online security is advisable
• As phishing increases banks will need to do more on reverse authentication
• User education will be required for some types of technology

MARKET OPPORTUNITY

• Online banking has grown, as has the range of things customers are doing online
  • More account holders are banking online
  • More account holders are transferring funds online
  • The increasing popularity of online banking raises its profile for fraudsters

• Banks are increasing IT spend on online services and online security this year
• There are opportunities in client-side and back-end authentication technologies

TECHNOLOGY EVOLUTION

• Adoption of 2FA/MFA has varied markedly by region
  • Europe was first to adopt 2FA
  • Initiatives in Asia Pacific got underway mid-decade
  • In the US, the FFIEC called for the implementation of 2FA, but was not prescriptive about the type of technology

• The US has a broader definition of 2FA/MFA than Europe
• The FFIEC' s non-prescriptive approach has spawned alternative technologies in the US
• Mobile phones are gaining traction as a channel for delivering a second factor

CUSTOMER IMPACT

• Online security must be integral to banks' business
• A tiered approach to online security is advisable
• As phishing increases banks will need to do more on reverse authentication
• User education will be required for some types of technology

COMPETITIVE LANDSCAPE

• Client-side technologies
  • ActivIdentity
  • Authentify
  • Commerce Media
  • CRYPTOCard
  • Fronde Anywhere
  • Gemalto
  • GrIDsure
  • IBM
  • PassFaces
  • SafeNet
  • SecurEnvoy
  • Thales
  • Vasco
  • VeriSign
  • Vett

• Back-end technologies
  • ACI
  • Entrust
  • Ericsson
  • Guardian Analytics
  • Iovation
  • Quova
  • RSA
  • Tier-3

GO TO MARKET

• Recommend a mixture of technologies
• Disruption to existing infrastructure is to be discouraged
• Banks will need help with user education
• Delivering technology as a service will appeal to smaller US and German institutions
• Channel partners will be key in such accounts
• Countries with greater banking concentration prefer to buy products
• The fight against fraudsters will go on, so a long game may be in order

APPENDIX

• Definitions
  • CAPTCHA
  • IP geolocation
  • Man-in-the-middle (MITM) attacks
  • Man-in the-browser (MITB) attacks
  • One-time password (OTP)
  • Out-of-band authentication (OOBA)
  • Transaction Authentication Number (TAN) lists
  • Two-factor authentication/Multi-factor authentication (2FA/MFA)

• Methodology
• Further reading
• Ask the analyst
• Datamonitor consulting
• Disclaimer

FIGURES

• Figure: Percentage of US adults who “do some internet banking” (i.e. not necessarily daily)
• Figure: European banks' investment priorities for payments in 2009
• Figure: North American banks' investment priorities for payments in 2009
• Figure: European banks' channel investment priorities for 2009
• Figure: North American bank' s channel investment priorities in 2009