Commonwealth Bank of Australia has signed up almost one million customers in just over a year to use a new type of internet banking security designed to stamp out fraud from phishing and other scams. The CBA's general manager of online banking, Drew Unsworth, told The Australian Financial Review his group had about 950,000 customers using its "two-factor" authentication tools, which require users to enter one-time passwords to authorise some online transactions.
The overwhelming majority of those using the enhanced security receive the passwords by SMS message to their mobile phones, although some have specialised devices issued by the bank. The service is credited with cutting down internet banking fraud.
The high rate of customer adoption since the bank launched the service in February 2007 puts CBA out in front of its rivals, although there is debate about whether two-factor authentication is the best solution.
For example, National Australia Bank and Westpac Banking Corp have offered similar services for longer, but each is believed to have customer numbers only in the low hundreds of thousands using the services.
Neither St George nor Australia and New Zealand Banking Group offer two-factor authentication to retail customers, but St George recently unveiled plans to launch a mandatory service similar to CBA's.
"They've probably looked at what we've done and tried to copy it," Mr Unsworth said.
ANZ is keeping its options open but mainly depends on back-office detection systems to control fraud.
The banks have not clarified exactly how much fraud has been cut down through two-factor authentication services, although NAB said last year it had seen no instances of fraud amongst customers using the security technique.
Mr Unsworth said CBA's speedy adoption rate had been based on individual customers signing up. In addition, the bank had promoted the service to high-risk customers who used the internet to make transactions to new recipients frequently.
Mr Unsworth said the bank leveraged existing SMS messaging systems built by its online brokerage arm to develop its system, and was sending out about half a million SMS authentication messages a month.
Customers were only required to authenticate a transaction if they had never transferred money to that recipient before. From then on, similar transactions would not require an authentication code. "For most customers, they hardly notice it is in place," Mr Unsworth said.
After its initial rush to get high-risk customers using the service, he said the bank was now quickly adding those who used internet banking less. Consequently, this could be done at a low cost, as those customers did not usually do many online transactions.
Mr Unsworth would not say what impact the service had had on fraud, but he said that, in combination with other security initiatives, the bank had had "very good results" and boosted customer confidence about online banking.
He criticised ANZ's focus on back-office fraud-detection solutions, as opposed to two-factor authentication.
"The key thing is, we've got both," he said, saying back-end systems should be aimed at catching fraud that fell through the cracks of two-factor systems.
* Half a million SMS authentication messages are sent every month.
* CBA has promoted the service to high-risk customers.
Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.