Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Attempts to Strengthen Two-factor Authentication

There have been attempts to improve the ability of two-factor authentication to combat online fraud. For example, rather than prompt the user to enter a passcode presented by their token at the time of login, The National Australia Bank has created a system in which the customer is prompted to enter the latest passcode displayed by their token (in this case, their mobile phone) whenever an outside-payment transaction is initiated on their account.[45] Arguably, it is hard for a fraudulent man-in-the-middle to obtain these subsequent passcodes even if they have obtained the customer’s login credentials, since the customer is unlikely to supply further passcodes to authorise transactions that they did not initiate themselves.

However, a man-in-the-middle could circumvent this by creating a mechanism whereby the user is prompted (through a spoofed interface) to supply another passcode after they have logged in. The man-in-the-middle could then immediately use this passcode to initiate a transaction on the customer’s account. The NAB’s system deals with this problem to some extent by ensuring that customers only have access to passcodes once they have been sent to the customer’s mobile phone – the customer does not have a token that is able to generate the passcodes independently of the bank’s involvement.

[45] National Australia Bank, SMS Payment Security, 2007, <,,82833,00.html>.