Authentication in an Internet Banking Environment
According to the information in the case, do you think the bank satisfied the requirement to two-factor authentication? Generally, Two-factor authentication requires two forms of authentication (Panko, 117). For example most of the online banking today requires you to login with username/password and also Identify security key or security image as additional key. According to the Federal Financial Institution Examination Council 2005 required bank to use at least two-factor authentication.
Two-factor authentication utilizes two or more factors to verify ustomer Identify and these two factors are usually (something the person has) and (something the person knows). Simply using username/password for Identification were not enough for two-factor authentication according to FFIE. It looks Ilke In the given case the bank used account numbers and passwords and customer had to answer two challenge questions. username/Password is only one factor and hence bank did not satisfy the requirement of two-factor authentication. b).
According to the information in the case, do you think the bank was doing ntifraud monitoring? I do not think the bank was doing antifraud monitoring. It is because bank knows Patco very well. Bank should know or should have known Patco regular transaction behavior. Bank should keep track of their customer behavior such as how often they withdraw money and in what rage. Bank should also keep track of their client how often they deposit money and in what range. In the case study, Patco only withdrew money for payrolls on Fridays. Its previous largest single-day withdraw had been under $37,000.
It is obvious that when $588, 000 had been drained on consecutive transaction that it should have been caught by bank as suspicious activities. Bank did not monitor this abnormal transaction nor did notify Patco promptly. Hence, it is clear that Bank had not been doing antifraud monitoring. c). According to the information in the case, do you think Ocean Bank was negligent? I definitely think Ocean Bank was negligent. First of all, it is seen that it Is not following the two-factor authentication set by Federal Financial Institutions Examination Council at all.
It is not even following the least requirement of two-factor authentication. Secondly, bank had not noticed that big withdrawal In consecutive days. Lastly, bank had noticed problem when thieves had entered one of the account number Invalid but did not notify to Patco on time. They should have notified to Panko by email or by calling them directly. d). According to the Information In the case, If you were head of Ocean Bank, what would you do to prevent the reoccurrence of this problem? First of all, I would review the existing security procedure.
I would want to make sure that security should be taken as management Issue not Just the technology issue. Security management should cover following areas: Planning, Authentication, Firewalls and Responding to the event. Security is not about having strong authentication mode or making stronger password. It is about proper planning, appropriate risk analysis, and having proper policy and procedures in place Secondly, I would make sure the security procedures are following the Federal Financial Institutions Examination Council standards.