The Internet is a very convenient channel for exchanging information and conducting business. It is also a very convenient place for criminal activities. Internet-based criminal activity is certain to increase. Government law enforcement agencies and Non-Government Organisations involved in incidence response have noted that organized crime is harnessing the potential of the Internet for illegal activities including scams, fraud, ID theft and extortion [13, 34]. These reports indicate that the nature of hacking itself has changed from being a harmless game to a business.

The losses from online fraud are currently smaller than off-line fraud, but the occurrence of online fraud is increasing at a rapid rate. Therefore, thought must be given to expand existing countermeasures and migration plans made for current systems. Currently, phishing and key logger attacks are popular for obtaining passwords and have been used in New Zealand [35-38]. Organisations whose business requires improved security to counter these increased threats are largely either at the stage of replacing passwords with some form of two-factor authentication or are planning to do so in the near future.

In New Zealand, ASB Bank and the associated Bank Direct launched their Netcode system at the end of 2004. The Netcode system is based on a password and a one-time password that expires after a few minutes (an eight-digit code). The one-time password is sent to the customer’s cellphone in an SMS message. The Netcode system has been analysed by Thompson [39]. ASB Bank, Bankdirect, HSBC and Rabobank also offer one-time password devices to support two-factor authentication of online banking customers [38, 40]. In the USA, banking regulators will require banks to strengthen their online banking security by year-end 2006, including two-factor authentication for high-value transactions or transfers of monies to secondary parties [19]. This is also likely to happen in the near future in the UK [41].

Land Information New Zealand (LINZ) uses two-factor authentication with its Landonline service [42]. Landonline customers obtain a unique personal digital certificate and key pair from an authorised Certificate Authority. This is used with software on their computer to perform the following functions:

  • authentication to the Landonline system, which also requires a password
  • securing the communication channel with the Landonline system
  • digitally signing documents – for example, a solicitor can digitally sign the necessary papers required for the transfer of land titles.

Use of the digital certificate for signing is protected by a passphrase (this is a type of password and is distinct from the password used to authenticate to the Landonline system). The first two functions above are examples of the authentication key functions discussed in this Guidance whereas the third is an extra service supported by this technology, albeit one that is critical to the Landonline service.

Page last updated: 13/09/2016