Authentication in an Internet Banking Environment
a). According to the information in the case, do you think the bank satisfied the requirement to two-factor authentication?
Generally, Two-factor authentication requires two forms of authentication (Panko, 117). For example most of the online banking today requires you to login with username/password and also identify security key or security image as additional key.
According to the Federal Financial Institution Examination Council 2005 required bank to use at least two-factor authentication. Two-factor authentication utilizes two or more factors to verify customer identify and these two factors are usually (something the person has) and (something the person knows). Simply using username/password for identification were not enough for two-factor authentication according to FFIE. It looks like in the given case the bank used account numbers and passwords and customer had to answer two challenge questions. Username/Password is only one factor and hence bank did not satisfy the requirement of two-factor authentication.
b). According to the information in the case, do you think the bank was doing antifraud monitoring?
I do not think the bank was doing antifraud monitoring. It is because bank knows Patco very well. Bank should know or should have known Patco regular transaction behavior. Bank should keep track of their customer behavior such as how often they withdraw money and in what rage. Bank should also keep track of their client how often they deposit money and in what range. In the case study, Patco only withdrew money for payrolls on Fridays. Its previous largest single-day withdraw had been under $37,000.
It is obvious that when $588, 000 had been drained on consecutive transaction that it should have been caught by bank as suspicious activities. Bank did not monitor this abnormal transaction nor did notify Patco promptly. Hence, it is clear that Bank had not been doing antifraud monitoring.
c). According to the information in the case, do you
Generally, Two-factor authentication requires two forms of authentication (Panko, 117). For example most of the online banking today requires you to login with username/password and also identify security key or security image as additional key.
According to the Federal Financial Institution Examination Council 2005 required bank to use at least two-factor authentication. Two-factor authentication utilizes two or more factors to verify customer identify and these two factors are usually (something the person has) and (something the person knows). Simply using username/password for identification were not enough for two-factor authentication according to FFIE. It looks like in the given case the bank used account numbers and passwords and customer had to answer two challenge questions. Username/Password is only one factor and hence bank did not satisfy the requirement of two-factor authentication.
b). According to the information in the case, do you think the bank was doing antifraud monitoring?
I do not think the bank was doing antifraud monitoring. It is because bank knows Patco very well. Bank should know or should have known Patco regular transaction behavior. Bank should keep track of their customer behavior such as how often they withdraw money and in what rage. Bank should also keep track of their client how often they deposit money and in what range. In the case study, Patco only withdrew money for payrolls on Fridays. Its previous largest single-day withdraw had been under $37,000.
It is obvious that when $588, 000 had been drained on consecutive transaction that it should have been caught by bank as suspicious activities. Bank did not monitor this abnormal transaction nor did notify Patco promptly. Hence, it is clear that Bank had not been doing antifraud monitoring.
c). According to the information in the case, do you