CBA to expand two-factor authentication

CBA implemented NetCode in January 2007 in response to what it called a "fraud issue" between August and October 2006.

NetCode generates a one-time password (OTP) and sends it to customers via SMS messages or a security token.

The customer then types this code into NetBank to authenticate a transaction.

The tokens are provided by authentication company Vasco while the SMS system was developed in-house primarily based on "learnings" from New Zealand's ASB Bank, which CBA owns.

As of January, CBA said it had deployed some 80,000 tokens and had another 1.45 million customers using SMS.

Until now, NetCode has been limited to customers with high daily transaction limits. Tokens are provided to the most active customers within that set while the SMS option has been reserved for "less active" users.

"Our plan now is to roll that out across all our customer base," said Drew Unsworth, general manager of online banking within the CBA's direct channels and retail banking division.

"We're of the belief that we can use it [NetCode] to bring fraud levels down so far they become insignificant."

CBA said it currently has in excess of 2.5 million retail banking customers that are active NetBank users and that the Bank was signing on some 60,000 new users per month.

"Customer behaviour is changing," Unsworth said.

"For many customers online is the preferred way to interact with us."

Unsworth told delegates at the Vasco Banking Summit in Sydney that CBA is favouring SMS technology to extend the NetCode system to more customers because it offered a lower cost of distribution than that of hardware authentication tokens.

"If we gave customers a choice it would probably be more like 50/50 requesting tokens or SMS," he said.

While SMS would simplify future rollout plans, Unsworth said CBA would also focus on reducing the ongoing management costs associated with the NetCode system.

"It's all very well getting it into customers' hands but we had 7,000 calls in December from customers to tell us that their token doesn't work and can you help me with it," Unsworth said.

"That quickly adds up. We want to look at how to reduce the number of calls to the call centre."

Unsworth said CBA has now introduced ways for customers to unfreeze the token themselves, negating the need to call for support.

He also indicated that once more customers join NetCode, CBA may look to transition some SMS users across to token-based authentication.

"The number of SMS messages sent by customers varies from zero up to 61 per month," he said.

"If someone is doing that many messages, it's better for them to have a token.

"We're working on what that bell curve looks like now to work out which customers would be better transferred across to a token."

Unsworth said the introduction of NetCode and stronger security practices at the Bank generally since its earlier issues with fraud had led to increased confidence "about putting more into Internet banking".