One of Australia’s leading financial institutions, the National Australia Bank (NAB), has announced an ambitious initiative to eliminate the use of passwords for internet banking by the end of the decade. This decision has been prompted by the increasing complexity of cyber threats and the ineffectiveness of traditional passwords, described by NAB's chief security officer, Sandro Bucchianeri, as "terrible". The bank aims to transition from text-based passwords to a more secure method known as cryptographic keys, which have already been successfully implemented in its digital-only subsidiary, Ubank.
The initiative is set to unfold over the next three to five years, with plans to replace traditional passwords entirely. Industry experts have raised concerns over the efficacy of passwords, which are often compromised when users resort to weak or reused passwords across various platforms, sometimes even written down physically. Such practices pose substantial risks, allowing hackers to exploit breaches on unrelated websites to gain unauthorised access to bank accounts.
As part of its strategy, NAB's cryptographic keys will facilitate user authentication without the need for a username or password. Upon successful authentication, customers will then authenticate their identity using a PIN or biometric signatures, including fingerprint scanning or facial recognition technology. Mr Bucchianeri acknowledged the challenge of balancing security and usability, noting that overly complicated systems might lead users to seek alternative methods of access, such as using post-it notes, while overly simplistic approaches could compromise security.
NAB has significantly enhanced its cybersecurity measures, reportedly thwarting in excess of 50 million cyber-attack attempts. Although direct breaches of NAB’s security have not yet occurred, hackers have accessed smaller businesses associated with the bank, making off with sensitive personal information such as phone numbers. Scammers typically employ this information to impersonate either users or the bank, circumventing traditional authentication processes to commit fraud.
To combat these threats, NAB has formed a partnership with the cybersecurity firm BioCatch, alongside other major Australian banks including ANZ, Commonwealth Bank, Suncorp Bank, and Westpac, to create the BioCatch Trust. This collaboration is designed to analyse user behaviour and device information in real time to detect fraudulent transactions, particularly those involving ‘mule accounts’ known for money laundering activities.
In a statement to the Sydney Morning Herald, Mr Bucchianeri emphasised the necessity of these innovations, stating, "If I make it too user-friendly … then I will compromise the security." Chris Sheehan, NAB Executive Group Investigations and former Australian Federal Police executive, echoed these sentiments, labelling the initiative a vital tool for banks in thwarting criminal activity and safeguarding customers. “While we are seeing customer scam losses decrease,” he added, “we know there's more to do to make Australia the hardest country in the world for criminals to steal our money.”
The bank's proactive measures also involve various strategies aimed at preventing fraud, such as eliminating links in unsolicited text messages, collaborating with telecommunications companies to prevent bank number impersonations, and enhancing training for contact centre staff to identify fraudulent activity. Furthermore, NAB has started placing holds on high-risk transactions, issuing warnings for payments to new payees, and blocking transactions associated with certain high-risk cryptocurrency platforms.
As the banking sector continues to navigate the complex landscape of cyber threats, NAB's approach to phasing out passwords by adopting cutting-edge technology underscores the ongoing evolution of security practices within the industry.
Source: Noah Wire Services