As the take-up of e-commerce continues to grow apace throughout the UK,
banks are making more use of an increasingly wide range of open access technologies,
such as the internet, to offer their customers greater access, easier transactions
and to meet ever-growing service expectations. However, while banks are
deploying new e-commerce solutions to meet these requirements, they are
also now faced with increasingly stringent corporate governance legislation.
This legislation dictates that banks soundly authenticate their customers
and their transactions, and keep a strong audit trail of those transactions.
This poses a difficult question for banks, how does one choose the right
level of authentication to secure online systems? What makes this question
all the more difficult is the growth in e-commerce and the number of new
banking channels. Every transaction channel must have rigorous authentication
protocols in place, whether it is a B2B channel like the BACS
payment clearing system, or a B2C channel such as ATM banking or PoS transactions.
New channels, new threats
There is sound
reasoning behind the legislation now in place. Levels of fraud are on the
rise, particularly via new online channels. The e-commerce revolution and
the boom in credit card use had been accompanied by the migration of organised
crime groups who are attempting to take advantage of these new and immature
transaction methods, and it must be combated.
For example, Phishing is one online fraud technique that has come into
its own recently and in May 2004, Gartner reported that 57 million US adults
thought they had received a phishing e-mail within the past year. Phishing
is not the most damaging type of criminal activity being committed however,
and these new transaction channels are now subject to another, much more
costly form of fraud, that of Cardholder-Not-Present (CNP) fraud.
CNP transactions are performed remotely, when neither the
card nor the cardholder is present at the point-of-sale. CNP transactions
take many forms such as orders made over the phone or internet, by mail
order or fax. In such transactions, retailers are unable to physically check
the card or the identity of the cardholder, which makes the user anonymous
and able to disguise their true identity. Fraudulently obtained card details
are generally used with fabricated personal details to make fraudulent CNP
purchases. The card details are normally copied without the cardholder's
knowledge, taken from discarded receipts or obtained by skimming. This means
that while the three or four digit Card Security Code on the back of cards
can help prevent fraud where card details have been obtained, it does not
prevent fraud in cases where the card itself has been stolen. In 2003, CNP
fraud was responsible for losses of £116.4m in the UK - more than
any other type of card fraud.
There is no right or single solution to user and transaction authentication
for all a bank's systems. It may be that one bank feels that a low cost
but high-risk authentication technique like static password or user signature
is sufficient for the needs of a particular system. A different bank however,
might believe that a higher cost and lower risk option would be best, such
as a token-based or biometric technique. The right answer for any given
system should be based on the assessed risk and cost benefit analysis. However,
as authentication is added to protect these systems the cost of managing
a variety of solutions is becoming prohibitive.
Simplifying the problem
Having to deal with
their consumer and business customers through an extremely varied and growing
number of channels has meant that the front end of a typical bank's transaction
system has mushroomed. To cope, banks have had to create a middle layer
of transaction applications. While the middle office has clear advantages
in terms of allowing limited change to back office systems to cope with
new technologies such as the internet, it has turned a typical bank's transaction
infrastructure into a complex network of front office, middle office and
back office systems.
Such complexity is potentially harmful as it could lead to mismanagement
of customer identities, gross inefficiency, lack of management visibility
and an increased likelihood of fraud, especially internally. As several
of the larger banks have recognised, there is a critical need for a more
strategic approach to middle office authentication and identity management.
The number of identities available to the individual has also increased.
For example, not only might an individual have a wide range of accounts
and touch-points with the bank but also these identities are unlikely to
be uniform. Therefore, banks are faced with an array of different risks
not just between different customers, but also between a single customer's
various accounts. The reaction from banks to these multiple identity challenges
has once again been to develop multiple point solutions.
A strategic approach to transaction authentication and identity management
will remove this complexity through the use of a single platform between
the front end and the back office. This middle office platform would mean
that the costly process of changing or replacing any of the front or back
office systems need not happen. Instead, all transactions, whatever their
source, could be authenticated on a single platform that is seamlessly integrated
with the front and back office systems.
The advantages of this approach are twofold. Firstly, managing all transaction
channels from a single platform will improve ease of management. Secondly,,
banks can embrace the growing number of new transaction technologies and
channels without needing to implement a new platform and most importantly
without compromising existing security. Furthermore, a single centralised
platform will have significantly lower total costs of ownership than employing
multiple platforms.
But the benefits of taking a strategic approach are not limited to dealing
with multiple channels. It is also possible to use a single middle office
authentication server to process transactions from multiple trust schemes.
Regardless of whether it is an existing authentication token or EMV smart
card or PKI scheme such as Identrus or any one of the home grown PKIs that
banks have locked away unused, it is possible for a single middle office
system to perform the appropriate authentication and message validation.
Two-factor authentication is key
As things
stand right now, the future of retail transaction authentication rests with
the move to EMV-based smart card technology. The European liability deadline
has now passed, the investment has been made and now it is time for the
technology to prove its worth. Expectation levels for the success of the
EMV standard are high. Ironically though, one of the primary reasons that
CNP fraud is on the increase is because of the advent of EMV smart cards.
EMV chip technology uses sophisticated processing techniques to identify
authentic cards and make counterfeiting extremely difficult and expensive.
Combining this with a PIN is a proven system for combating fraud as it provides
the two-factor authentication of 'something you have' (the smart card) and 'something
you know' (the PIN). This makes the probability of fraudulent transactions
taking place in an ordinary retail environment extremely low and is, in
turn, forcing the criminal community to target newer, and potentially less
secure, transaction channels.
Until the recent introduction of EMV-based Chip and PIN banking, the maximum
level of security available to consumers for e-transactions has been user
ID and password authentication. Now, when a user with a smart card makes
a transaction at a retailer, he/she is required to put the smart card into
a connected reader and enter his/her PIN, via a keypad. In doing so, the
user is protected by the two-factor authentication technique.
This two-factor authentication can also be the key to securing
transactions made remotely, such as online transactions. In this situation
an unconnected reader is used which provides the user interface to the card
and displays a one-time passcode once it has read the smart card and the
user has entered his/her PIN. The user then manually types this passcode
into the computer at the appropriate prompt. Only the issuing bank can authenticate
this one-time passcode. To avoid repeat attacks, the one-time passcode can
also be linked to the individual transaction by a more secure, yet still
simple, challenge-response
process. In that case, should the passcode be intercepted, it is of no
use whatsoever beyond that single transaction.
The barrier to this method of authentication has always been around cost.
In other words, is it more cost effective for the bank to accept low levels
of fraud rather than the expense of rolling out millions of unconnected
readers to consumers? The continuing rise of CNP fraud is now tilting the
argument in favour of the rollout option.
In terms of the technology behind the unconnected smart card readers, it
is the introduction of a common standard that is the most important innovation.
APACS, in association with MasterCard, and now VISA, have released specification
standards for unconnected smart card readers which have allowed leading
manufacturers to offer products for mass consumption at a commercially viable
cost.
The introduction of unconnected readers will have an extremely positive
effect on fraud and in turn help boost consumer confidence in e-Commerce.
However, it is not just internet-based transactions that will benefit. Theoretically,
any transaction where the card has to be used, and the cardholder is not
present, could use this scheme. For example, if purchasing a good or service
over the phone, the user could simply read the one time passcode to the
person at the other end who could validate it in the usual way through the
payment system. As such the smart card is transformed into a personal security
module to validate every financial transaction the user wishes to make.
The security benefits are clear to see. The inclusion of a smart card in
every financial transaction will add a crucial second layer of authentication.
This two-factor authentication process of something you have as well as
something you know should dramatically reduce fraud.
Looking to the future
Looking at the issue
from a long-term perspective, one can realistically expect two-factor authentication
to be replaced at some point in the future by three-factor authentication,
with the introduction of biometric data, (something you are), into the transaction
process. This might take the form of thumbprints or iris scanning, and should
again vastly increase the security around any associated transaction.
However, biometric technology is still in its infancy and techniques being
tested at the moment are a long way from reaching full maturity and reliability.
For the time being, we should concentrate on successfully completing this
step to two-factor authentication. If successfully implemented and accepted,
this kind of flexible, yet secure and dependable system should prove to
be an integral part of the advancing e-business world.
