BOQ re-examines call centre authentication

Powered by SC Magazine
 

The Bank of Queensland has revealed it programmed a challenge-response application into existing internet banking security tokens that could be used in the future for call centre authentication.

The Bank of Queensland has revealed it programmed a challenge-response application into existing internet banking security tokens that could be used in the future for call centre authentication.

Challenge-response technology is seen as an alternative to having call centre agents ask for personal details such as mother's maiden name to verify the identity of callers.

It helps verify identity, typically, by asking the caller to repeat a randomly generated sequence of numbers from the token in order to complete a transaction or gain access to their account.

Speaking at the Vasco Banking Summit yesterday, BOQ's channel development manager for retail banking, Rick Mason, said the bank initially programmed three applications into the Vasco hardware tokens to make them more future-proof.

It has already launched two of the three applications.

The bank's internet banking tokens are currently capable of generating either a one-time password or performing transaction signing.

Transaction signing uses data supplied by the user to generate a pass code which then allows the transaction to proceed.

"We put challenge-response in there to future-proof our tokens because we may use them in the future to authenticate into our call centres," Mason said.

"The token already uses challenge-response functionality for unblocking PINs but we may extend it in the future for either way authentication."

"It's relatively easy to bypass the security of a call centre," said Mason.

"People put the same type of personal details on their Facebook profiles that we ask for in our call centres to identify them. Maybe in the future we'll use challenge-response [to resolve this]."

Mason said the BOQ originally specified the tokens to handle all three potential authentication applications.

"We only wanted to do this [rollout of tokens] once," Mason said. "The customer education process can be painful."

BOQ said it has issued 31,500 tokens to date "against 161,000 active internet banking users."

The tokens are predominately Vasco DB260 products that have been branded as BOQ.

Mason said BOQ customers are able to select their own daily transaction limits when they sign up for internet banking.

Token use is required only for customers that select a daily limit of $10,000 or more.

"The thing is that nine out of ten people think, ‘I'm so important I want the top limit', but you have to educate customers on what that means," Mason said.

"We initially wasted some tokens because people took them and then didn't use them or decided they didn't need that limit anymore."

He continued: "If you select a daily limit of $10,000 then you're forced to use a token for each and every transaction, even if it's for 50 cents.

"We do get some complaints with transaction signing [in particular] but if you don't like it drop your limit below $10,000.

"Yes it's a bit arrogant but it's a trade-off between having high value limits and high security."


 
 
 
Top Stories
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
 
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  5%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1376

Vote