Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » eft review  

Subscribe to Galexia news and announcements.
More information »

Privacy Impact Assessment (PIA): This tool identifies privacy issues in specific sectors or applications. By using the PIA tool at the design stage of an implementation organisations can avoid privacy errors and the costs of rectification at later stages. Find out more »

[2018 Global Cloud Computing Readiness Scorecard]

2018 Global Cloud Computing Readiness Scorecard
Find out more »

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

[« previous] [next »] [up] [title page] [full contents]

Attempts to Strengthen Two-factor Authentication

There have been attempts to improve the ability of two-factor authentication to combat online fraud. For example, rather than prompt the user to enter a passcode presented by their token at the time of login, The National Australia Bank has created a system in which the customer is prompted to enter the latest passcode displayed by their token (in this case, their mobile phone) whenever an outside-payment transaction is initiated on their account.[45] Arguably, it is hard for a fraudulent man-in-the-middle to obtain these subsequent passcodes even if they have obtained the customer’s login credentials, since the customer is unlikely to supply further passcodes to authorise transactions that they did not initiate themselves.

However, a man-in-the-middle could circumvent this by creating a mechanism whereby the user is prompted (through a spoofed interface) to supply another passcode after they have logged in. The man-in-the-middle could then immediately use this passcode to initiate a transaction on the customer’s account. The NAB’s system deals with this problem to some extent by ensuring that customers only have access to passcodes once they have been sent to the customer’s mobile phone – the customer does not have a token that is able to generate the passcodes independently of the bank’s involvement.

[45] National Australia Bank, SMS Payment Security, 2007, <http://www.nab.com.au/Personal_Finance/0,,82833,00.html>.

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]