All South African banks offer a form of two-factor authentication (2FA) for their digital banking channels.
This mechanism helps to prevent unauthorised access to user accounts in the event that the user’s login details and passwords were exposed in a data breach.
2FA often comes in the form of an authentication message which is sent to a secondary device that has been linked to the main account.
Examples of this include a verification PIN or in-app prompt which must be accessed via a customer’s smartphone.
Benefit for banking
This security feature can be even more useful for applications where financial risk exists, such as in online banking.
MyBroadband asked South African banks whether they employ two-factor authentication for their online banking logins and to perform other functions on these portals.
We found that most banks do not offer 2FA for logins, but only for transactions performed on the bank’s various digital channels.
Head of Fraud Strategy at Absa Retail and Business Bank, Ulrich Janse van Rensburg, said that the bank’s investment in two-factor authentication has reduced SIM-swap fraud incidents to a fraction of those from previous periods.
He explained that Absa’s app-based authentication, which was launched in October 2017, uses a non-SIM based approach to authenticate transactions on its digital channels to mitigate the risk of SIM-swap fraud.
“Customers utilise our Banking App to authenticate transactions done on digital banking channels and the authentication is linked to their device rather than their SIM card,” Janse van Rensburg said.
For those customers who don’t have a smartphone, are able to use the bank’s previous authentication method, which uses a USSD prompt that needs to be accepted on the customer’s secondary device.
“Customers who do not have a smartphone can still continue to utilise our previous authentication method (rolled out in October 2014) which relies on a USSD prompt that needs to be accepted on the customer’s device (and is still connected to a SIM Card).”
Janse van Rensburg said Absa encourages its customers to adopt its mobile banking app to enjoy its “world-class” security systems.
“Absa recently launched a market-first digital fraud warranty for customers who bank using our banking app – signalling our confidence in the security of our app as the safest way to bank,” Janse van Rensburg added.
Head of FNB Digital Banking Giuseppe Virgillito explained that the bank uses 2FA for transaction authentication in certain instances.
“FNB introduced Smart inContact in 2016 which allows customers to approve certain transactions performed on digital channels using the award-winning FNB Banking App,” Virgillito said.
He added that the majority of FNB’s online banking customers use this feature to approve transactions.
FNB does not employ two-factor authentication for banking logins on its web channel but notifies customers of any logins on their web channel via the customer’s linked email address and phone number.
Mobile browser logins are treated differently, however.
“Those that prefer logging into our mobile site have to approve their logins as well as transactions using the two-factor authentication (2FA) process,” Virgillito said.
Nedbank does not use 2FA for its web channel, but initial registration uses a multi-factor set up on the Nedbank Money app that uses a combination of profile number, PIN, password, card and PIN, Nedbank ID, and device biometrics.
Head of Digital Channels at Nedbank Retail and Business Banking Tawanda Chatikobo said that it has a robust authentication pattern for subsequent logins, which rely on the Nedbank ID and password or device biometrics.
Chatikobo said that particular transactions on Nedbank’s online and app banking platforms are protected by two-factor authentication.
“Second-factor authentication is utilised for all sensitive transactions, such as the creation of a new payment beneficiary,” Chatikobo said.
“An Approve-IT message is sent via NI-USSD to the client, which the client then needs to acknowledge. As NI-USSD is vulnerable to SIM swaps, Nedbank also checks if there has been a recent SIM swap on the device,” Chatikobo added.
Standard Bank spokesperson Ross Linstrom said that the bank does use two-factor authentication for banking logins.
This is delivered in an out of band manner with mechanisms such as SMS or email,” he said.
“A One-Time Password (OTP) is sent via SMS to the account holder’s cell number or through email. The OTP must then be entered on either the app or web portal, whichever was being used.”
Additionally, a QR-based solution can be used for enhanced verification.
“We have a further security enhancement where a QR Code is displayed and then the customer will scan this ‘out of band’ using the Standard Bank Mobile Banking App from a smartphone device,” Linstrom said.
“Upon scanning the QR Code, the user is requested to approve the action using biometrics (fingerprint or facial) or an app code that is created during the secure registration process.”
Standard Bank recently launched its DigiMe solution, which adapts to the everyday lifestyle and behaviours of customers.
“The DigiMe process allows a customer to securely bind their device with their personal identity and their biometrics. This will allow customers through time to validate their banking transactions and themselves using biometrics or additional ‘out of band’ methods,” Linstrom noted.
Capitec’s clients are required to authenticate themselves with their Remote banking pin when using the mobile banking app.
Two-factor authentication is performed within the app.
“When transacting on their mobile devices, clients receive secure in-app confirmation messages (as opposed to OTPs that are delivered via SMS) on their registered device, with the details of the transaction, requiring the client to authorise the transaction using their Remote PIN or fingerprint biometrics,” Capitec said
The bank uses a different method for a second level of verification for customers who prefer to use only its web banking portal.
“Clients that do not make use of Capitec’s cellphone banking app and choose to use Internet Banking only, are issued with a token on keyring which the client will use to generate one time passwords – with a date/time stamp that is valid for a short time only – for sign in and approval of financial transactions.”
With TymeBank, all Internet banking and app payments are authorised with two-factor authentication through an OTP.
Its Internet banking channel is accessed by using an ID and password.
When the TymeBank SmartApp is installed on a device and launched for the first time, unique identifiers are associated with the device and the device is linked to the user’s profile by using an OTP.
Subsequent logins only require a PIN, but payments are always authorised using an OTP, TymeBank said.