Common use of CUSTOMER TO BANK AUTHENTICATION Clause in Contracts

CUSTOMER TO BANK AUTHENTICATION. Customers must perform authentication to prove their identity to a bank before a ses- sion is initiated in which bank account(s) can be managed. This is referred to as entity authentication. Furthermore, it is possible that an extra authentication step is re- quired to authorize the transfer of money. This is defined as transaction authentication. ACM Computing Surveys, Vol. 49, No. 4, Article 61, Publication date: December 2016. 61:10 X. Xxxxxx et al. Entity authentication is mandatory, while transaction authentication is optional to im- plement [Claessens et al. 2002]. Several factors can be used in user authentication. These are knowledge (something the user knows), possession (something the user physically has), and biometrics (some- thing the user physically is or does). The terms two- or multifactor authentication are used when at least two different factors need to be fulfilled to establish an authenticated session. Knowledge is mostly represented, followed by possession. Biometrics based on physical characteristics is rarely used, and was only observed in mobile banking. We examined 80 home banking sites on the use of authentication methods for per- xxxxx computers. The same was done for 60 mobile banking applications and 25 mobile banking sites. Not every bank that offers home banking offers mobile banking, which is why the numbers of the different types of examined online banking systems differ. Mobile banking applications seem to be far more popular compared to mobile banking sites, despite that the latter is more independent of the used platform. Also, for mobile banking we could not determine the used authentication methods for two applications and one site because we could not get the necessary information from the offered user interface or documentation. These are excluded from the 58 applications and 24 sites for which we could collect this information. We also compare our findings with our research data from 2013. At the time, we examined 81 home banking sites, 45 mobile applications, and 19 mobile sites. For one home banking site, it was in 2013 not possible to determine what kind of authenti- cation method they used since a customer number had to be entered first before any information about authentication options were given [Kiljan et al. 2014a]. Therefore, for user authentication, only 80 banks home banking sites are considered for 2013, the same number of home banking sites as were examined in 2015. First, we will present our findings concerning the combinations of factors (knowledge, possession, biometrics). After that, each factor will be discussed in more detail. We close with a comparison of data from 2002, 2013, and 2015.