BOQ re-examines call centre authentication

Powered by SC Magazine
 

The Bank of Queensland has revealed it programmed a challenge-response application into existing internet banking security tokens that could be used in the future for call centre authentication.

Challenge-response technology is seen as an alternative to having call centre agents ask for personal details such as mother's maiden name to verify the identity of callers.

It helps verify identity, typically, by asking the caller to repeat a randomly generated sequence of numbers from the token in order to complete a transaction or gain access to their account.

Speaking at the Vasco Banking Summit yesterday, BOQ's channel development manager for retail banking, Rick Mason, said the bank initially programmed three applications into the Vasco hardware tokens to make them more future-proof.

It has already launched two of the three applications.

The bank's internet banking tokens are currently capable of generating either a one-time password or performing transaction signing.

Transaction signing uses data supplied by the user to generate a pass code which then allows the transaction to proceed.

"We put challenge-response in there to future-proof our tokens because we may use them in the future to authenticate into our call centres," Mason said.

"The token already uses challenge-response functionality for unblocking PINs but we may extend it in the future for either way authentication."

"It's relatively easy to bypass the security of a call centre," said Mason.

"People put the same type of personal details on their Facebook profiles that we ask for in our call centres to identify them. Maybe in the future we'll use challenge-response [to resolve this]."

Mason said the BOQ originally specified the tokens to handle all three potential authentication applications.

"We only wanted to do this [rollout of tokens] once," Mason said. "The customer education process can be painful."

BOQ said it has issued 31,500 tokens to date "against 161,000 active internet banking users."

The tokens are predominately Vasco DB260 products that have been branded as BOQ.

Mason said BOQ customers are able to select their own daily transaction limits when they sign up for internet banking.

Token use is required only for customers that select a daily limit of $10,000 or more.

"The thing is that nine out of ten people think, ‘I'm so important I want the top limit', but you have to educate customers on what that means," Mason said.

"We initially wasted some tokens because people took them and then didn't use them or decided they didn't need that limit anymore."

He continued: "If you select a daily limit of $10,000 then you're forced to use a token for each and every transaction, even if it's for 50 cents.

"We do get some complaints with transaction signing [in particular] but if you don't like it drop your limit below $10,000.

"Yes it's a bit arrogant but it's a trade-off between having high value limits and high security."


BOQ re-examines call centre authentication
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 331

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  56%
 
No
  44%
TOTAL VOTES: 137

Vote