Its time to capture what I have learned about this space so far, how its evolved, and where it might go in the future that should guide banks’ investment in this space.

First of all, it’s highly relevant for bank customers, and therefore banks to get this straight. Authentication is the fancy word for how customers log in to their FI to perform financial transactions, and access services from their FI. Customers expect to be safe and secure when they do that, and they expect that only they will be able to log in to see their information, not some criminal.

Some definitions, just so that my terminology usage is clear:

1. 2nd level authentication
1. After a customer has logged in to online banking, 2nd level is another log in with a different password, or alternative question, such as dogs name, place of birth, favourite restaurant. Purpose is to validate that the individual logging in is the correct one.
2. multi factor authentication
1. A more generic term for #1. Anticipates the growth of #1 to broaden into alternatives beyond questions, into “out of band” (prompt to another channel, eg telephone) as validation
3. RSA type tokens
1. RSA tends to get mentioned here simply because many identify with their model. A calculator type device that generates random numbers which are typed in with the log in information, and that provides the 2nd level authentication
4. smart cards

Chip Cards, IC cards, chip tokens – anything that has a computer chip on it that works to identify the user. Most commonly understood today, are VISA and MasterCard chip cards with the embedded chip.

Evolution

We began back in the 90’s with online banking access through username and password. Often the username was the card number on the customers Bank access card. The Bank provided a password usually chosen by the customer, and that combination permitted access to online banking.

Functionality was limited to balances of one or two accounts, bill payment, and funds transfer between accounts.

Two changes have contributed to the evolution over the 10 year period:

1. Functionality has dramatically broadened to cover all accounts, loans and investments for the customer. Online banking provides information, and functionality to all aspects of the customers relationship
2. criminals have targeted online banking. They realise their current success in the ATM arena through card skimming is relatively short lived with the advent of better security through anti skimming devices, and advent of smart cards. So they have to develop alternative sources for their crime, and one of them is online banking. Collection of customer credentials is relatively easy at the moment, through Phishing with email and spyware loaded in the background while customers perform other downloads.

Because of #1, this makes #2 the more advantageous for criminals. Once the criminals have access to online banking account takeover and theft of funds is simple. They can change the customers address, seek credit, and send money from the customer to themselves.

Why didn’t banks evolve their security sooner?

The million dollar question. First of all phishing and spyware are relatively new in terms of broad based usage. They became highly prevalent 3 years ago, and have grown rapidly and become quite sophisticated. At first their credibility amongst banks and security organisaitons was tained because of obvious spelling and grammatical issues, that made those criminals appear more closely associated with kids/ hackers but that has changed. The criminal element are obviously highly sophisticated and have integrated several efforts to ensure success. Witness the gathering of a broad group of unwitting assistants to ensure success. There is evidence to suggest they use hacker elements to rpofivde the spyware/ phishing emails, and others to fudn the entire effort. There is clear collaboration, and organisation behind the effort, and this requires a clear and organised erffort to cut it off.

Second of all, the solutions to the problem were not simple:

1. digital certificates – incredibly expensive and hard to implement. For example what security policies govern the distribution of the certificates; must every customer go to a bank branch to identify themselves, and then receive their certificate? Anything less would suggest another entry point for criminals to capture the certificate and this would have horrendous implications for security!
2. RSA tokens: expensive and hard to implement. With the additional problem of support, eg the call centre receiving calls for tokens lost, don’t work, don’t understand etc.

Where we are today

Many banks such as Barclaycard have taken the knee jerk reaction and leapt to the RSA tokens. I believe this will be a mistake for the reasons mentioned. There has been an evolution as the technology rocket scientists have developed a middle space between username/password and the expensive, difficult certificate/ token alternative.

That space is software based and customer pattern based. The leading vendors in this space are:

• Passmark
• Identifies and tracks customers computer and network access. Passmark also provides comfort back to the customer that they are in the right site using a customer selected picture.
• Digital Envoy (Digital-resolve)
• Strong in IP intelligence and using analytics can identify aberrant behaviour
• Cyota
• Strong in blacklist and identification of rogue sites

All of these then provide the capability to dynamically generate a 2^nd level request for authentication to the customer to ensure they are in fact who they claim to be. This 2^nd level can occur at time of authentication, or more powerfully also when the customer tries a high value activity, such as remitting money.

There are others, but the space can be well defined by these with which I am reasonably familiar. I won’t identify my preference here but summarise by stating that the software space is growing rapidly, and is very dynamic.

The future

This software arena will define the customer authentication space for the next 3 years, while chip is developed. Chip will provide additional benefits, which I believe are just beginning to appear. For example there are chip cards now that have embedded RSA token type functionality. This eliminates the hardware requirements for today’s tokens, or for today’s portable chip card readers.

Chip cards are generally believed to be the future, and I somewhat agree but the form factor and elimination of supplementary hardware is essential, before that happens. In addition the software middle space I spoke of earlier will evolve and therefore will compete with chip card authentication.

Recommendation

Get serious about 2^nd level authentication now using a software solution. Let the chip card implementations proceed, say tuned in, and don’t trust today’s chip solutions entirely otherwise you will be locked into old technology before you even start.