- Email: [email protected]
A smart answer to online fraud?
feature
A smart answer to online fraud? With increasing numbers of people using internet banking it is not surprising that fraud levels are spiralling. What are the options to try and prevent this type of fraud and could the smart card provide an answer? Imagine going into a bank branch and all that was required to gain full access to your account was to provide your name and password. Whilst this is certainly not the case on the high-street this is the perilous situation we’re in at present with a number of internet banking solutions. This is particularly concerning considering the popularity of internet banking. Today, more people in the UK bank online than use branch-based services with more than 14 million residents choosing clicks over bricks. This presents a substantial increase of 63% over the last three years. Almost in tandem, online banking fraud has also grown significantly. An apparent victim of its own success, the online banking industry lost an incredible £23.2 million to fraud in 2005, double the previous year’s total. We say ‘apparent victim’ because the reaction of retail banks here in the UK to the exponential growth in internet fraud has been positively passive. The due care and attention people expect from their bank is sadly lacking and in many cases it will be the customer who becomes the victim.
Two factor authentication With no financial responsibility to prevent online fraud, US regulators have enforced legislation in order that two-factor authentication is the minimum security requirement for banking websites by the end of 2006. In the UK, only one bank, Alliance & Leicester, has voluntarily put two-factor authentication in place. APACS has also recently announced a draft two-factor authentication standard for internet and phone transactions. With many other high street banks watching from the sidelines, legislation might be the only way to ensure the risk of online fraud is reduced dramatically here in the UK. The reason US regulators favour two-factor authentication is because a customer’s password is no longer enough to give a fraudster their banking information. Two-factor authentication is based on the concept of ‘something you have’ – which might be your PC, smart card or USB – and ‘something you know’, i.e. your password or PIN.
10
Whilst two-factor authentication looks set to become the industry standard there are alternative security measures out there. Whilst passwords have become common currency in authenticating users there are, as the rates of online fraud suggest, serious weaknesses. Despite this, they are widely used and are a means of authentication for almost everything. One-time passwords (OTP) are just that, they are generated once and can only be used once to access banking details.
One time passwords There are two ways to generate OTPs: the first uses a mathematical algorithm to generate a new password based on the previous one; the second, is based on time-synchronication between the authentication server and the client providing the password. The first option requires new standalone hardware, a pin pad type device, that the customer “plugs” their EMV card into, entering their PIN and subsequently the device generates a new password. With the second method, time synchronised passwords, a new standalone hardware token, for example a token device, continually generates passwords that change after a predefined period of time, for example every ten minutes. Should a fraudster discover an OTP they may get access for one time period of login but this then becomes invalid once expired. Implementation is easy as no changes to the internet channel is required as the customer simply enters a different number in their password field. One of the downsides to OTP is the cost to implement. New hardware tokens need to be supplied to customers and the financials involved in training customers and providing support make this a less attractive option for what is not a 100% failsafe solution. This type of system was also at the centre of a phishing scam targeting customers of a Swedish internet bank last year. As a result it is unlikely that this will be adopted in any great measure here in the UK.
The other disadvantage of this system is the level of customer education required. The OTP system has a completely different user experience for the internet banking user. When they use the high street and ATMs, they put their EMV card into a machine, input their pin number, and then perform their transaction. Under this model they are generating a password which they then have to input into their internet banking screen. This can be a frustrating experience as they only have a short period of time to do this which means that for some users it can take them a number of attempts to complete this transaction. All single, two-factor and OTP authentication scenarios are open to fraud and in particular the ‘man-in-the-middle’ attack. This is the approach used in the above Swedish banking scenario when customers were sent emails with links to a fake, but identical in appearance, banking website. The customer types in his password and one time passwords, which the attacker then uses to access the bank’s real site. All three are also open to a Trojan scenario when an attacker piggybacks on a user’s session whenever they log onto the bank’s website and conducts fraudulent transactions once in.
Integrated systems Integrated systems aren’t open to the same attacks by using hardware to secure the internet channel. The ‘closed loop’ system uses proprietary technology which can only be used for access to specific items. This is typically used by companies for on-site access to their networks, for example Barclays staff use a smart card to log on to their desktops. The alternative ‘open loop’ system uses existing hardware or tokens, for example EMV cards, to secure the internet channel. Customers are provided with a simple card reader to connect to their PC. By plugging in their EMV card and entering their PIN a customer can perform a full EMV transaction on their own computer. This then allows the customer to identify themselves to the bank using their own credit or debit card. EMV is regarded as one of the more secure forms of encryption available. The benefits of integrated systems is that they can use the most appropriate tokens to hold the EMV application - contact cards in UK and contactless in US. This is particularly important in the UK, with the banks investing hundreds of millions of pounds in upgrading their infrastructure, including the issue of over 100 million chip and PIN cards. This will allow both the banks and their customers the ability to re-use this new technology. Recent advantages in PC and internet technology also make this a much more feasible solution. Most computer users have broadband access, thereby allowing banks the
Card Technology Today May 2006
feature ability to quickly identify their customers using software methods. This also has the advantage in the low cost of investment required for customer support and training as the experience is very similar to that on the high street so it is easy to understand. The banks will only need to issue a cheap card reader for connection to the USB port which can be used with the existing technology available to customers, i.e. their bank cards. This technology also allows banks other benefits, such as the ability to update cards with new PIN numbers should customers forget their original PIN. Another benefit is the cost savings afforded to banks. It has been estimated that it costs a bank between US$3-7 per phone call from an internet banking customer for a lost or forgotten password. The re-use of existing technology reduces the need for different passwords or devices, thus ensuring the customer experience remains consistent. The largest perceived downside of connected card readers is that the PIN is entered into a computer, potentially allowing fraudulent attempts at obtaining a user’s card and PIN details. However, the bank can minimise this risk by ensuring that the PIN is not allowed to leave the computer in an unencrypted form. Any attempted
fraud would also fail as there would still be a requirement to obtain the physical card in order for the fraudulent user to access the genuine user’s internet banking information. In the future we will see the evolution of twofactor develop into three-factor authentications. This is considered to be one of the strongest forms of user authentication available as it involves not only the ‘something you know’ and ‘have’ elements but also ‘something you are’, for example a fingerprint or vein pattern.
Contact methods Despite all this technology a number of banking customers have become concerned about the contact methods used by some banks. Increasingly, banks are contacting customers via SMS or automated phone call. Sometimes customers are asked to dial back on a given number where they are asked for their personal information to identify them as the account holder. Similarly during cold calls, customers are asked to prove they are the named customer on the account - with no similar level of authentication from the bankers. With unsolicited calls singled out as a source of confusion for customers, the process of authentication should be two-way instead of the one–way process it is now. In response to the
South African smart card market set for growth The complex South African market offers significant potential for smart card players in three main areas – telecoms, banking and government. Despite the opportunities, however, there are still significant challenges to face. This article charts the progress of smart cards in South Africa and argues that 2006 could well be a year to remember The South African population witnessed a year of significant change in 1994 with the holding of the country’s first democratic election and the introduction of mobile phones. Both were to have significant consequences. While the subsequent political happenings have been expounded upon no end in the international media, not as much attention has been paid to
Card Technology Today May 2006
the long lasting effects the country’s first widespread interaction with smart cards was to have. As with many African countries, a rather peculiar economic situation is present in South Africa. There are two economies present in the country, the first of these is the formal economy which exists and runs in the same way as those of
usual details that banks expect from us - data of birth and mother’s maiden name, etc - banks should reciprocate by providing, for example, the data of incorporation, the city of their registered office, and corporate founder. From an online banking point of view, twoway authentication refers to the customer authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity. Of the possible two-factor authentication systems available, the integrated connected card reader solution allows this twoway authentication to take place. By only allowing digitally verified applications to interrogate the card, only the banks are able to identify themselves to the customer. This usually happens by the bank writing information from the card to the screen of the user, i.e. the last 4 digits of their card plus their full name. This negates the impact of any fraudulent phishing attacks. Whilst there is no silver bullet for combating fraud, two-factor, two-way authentication solutions will be the key drivers in securing the internet as a trusted channel for banking. This article was provided by Smart Technology Solutions (STS). For further information please visit www.stslimited.com or call Tel: +44 208 680 0252
more developed countries. The second is an informal economy made up of small traders selling products such as fruit, clothes and other small value commodities. There are various factors that led to the establishment of a dual economic system. South Africa is a well developed country with effective infrastructure in place and in fact in this regard resembles more developed countries such as its Western counterparts. On the other hand though, a large percentage of the population lives in poverty and there is much need for economic improvement. This situation has led to a desperate need for entrepreneurship and the resulting establishment of the informal economy. The presence of both of the economies presents the government with a quandary as it tries to allocate resources effectively, while at the same time attempting to regulate various sectors. Smart cards have offered opportunities for growth in both of these sectors.
Application areas There are three main applications in which smart cards function in South Africa – namely telecommunications, banking and government. These markets offer players the most significant
11
A smart answer to online fraud? With increasing numbers of people using internet banking it is not surprising that fraud levels are spiralling. What are the options to try and prevent this type of fraud and could the smart card provide an answer? Imagine going into a bank branch and all that was required to gain full access to your account was to provide your name and password. Whilst this is certainly not the case on the high-street this is the perilous situation we’re in at present with a number of internet banking solutions. This is particularly concerning considering the popularity of internet banking. Today, more people in the UK bank online than use branch-based services with more than 14 million residents choosing clicks over bricks. This presents a substantial increase of 63% over the last three years. Almost in tandem, online banking fraud has also grown significantly. An apparent victim of its own success, the online banking industry lost an incredible £23.2 million to fraud in 2005, double the previous year’s total. We say ‘apparent victim’ because the reaction of retail banks here in the UK to the exponential growth in internet fraud has been positively passive. The due care and attention people expect from their bank is sadly lacking and in many cases it will be the customer who becomes the victim.
Two factor authentication With no financial responsibility to prevent online fraud, US regulators have enforced legislation in order that two-factor authentication is the minimum security requirement for banking websites by the end of 2006. In the UK, only one bank, Alliance & Leicester, has voluntarily put two-factor authentication in place. APACS has also recently announced a draft two-factor authentication standard for internet and phone transactions. With many other high street banks watching from the sidelines, legislation might be the only way to ensure the risk of online fraud is reduced dramatically here in the UK. The reason US regulators favour two-factor authentication is because a customer’s password is no longer enough to give a fraudster their banking information. Two-factor authentication is based on the concept of ‘something you have’ – which might be your PC, smart card or USB – and ‘something you know’, i.e. your password or PIN.
10
Whilst two-factor authentication looks set to become the industry standard there are alternative security measures out there. Whilst passwords have become common currency in authenticating users there are, as the rates of online fraud suggest, serious weaknesses. Despite this, they are widely used and are a means of authentication for almost everything. One-time passwords (OTP) are just that, they are generated once and can only be used once to access banking details.
One time passwords There are two ways to generate OTPs: the first uses a mathematical algorithm to generate a new password based on the previous one; the second, is based on time-synchronication between the authentication server and the client providing the password. The first option requires new standalone hardware, a pin pad type device, that the customer “plugs” their EMV card into, entering their PIN and subsequently the device generates a new password. With the second method, time synchronised passwords, a new standalone hardware token, for example a token device, continually generates passwords that change after a predefined period of time, for example every ten minutes. Should a fraudster discover an OTP they may get access for one time period of login but this then becomes invalid once expired. Implementation is easy as no changes to the internet channel is required as the customer simply enters a different number in their password field. One of the downsides to OTP is the cost to implement. New hardware tokens need to be supplied to customers and the financials involved in training customers and providing support make this a less attractive option for what is not a 100% failsafe solution. This type of system was also at the centre of a phishing scam targeting customers of a Swedish internet bank last year. As a result it is unlikely that this will be adopted in any great measure here in the UK.
The other disadvantage of this system is the level of customer education required. The OTP system has a completely different user experience for the internet banking user. When they use the high street and ATMs, they put their EMV card into a machine, input their pin number, and then perform their transaction. Under this model they are generating a password which they then have to input into their internet banking screen. This can be a frustrating experience as they only have a short period of time to do this which means that for some users it can take them a number of attempts to complete this transaction. All single, two-factor and OTP authentication scenarios are open to fraud and in particular the ‘man-in-the-middle’ attack. This is the approach used in the above Swedish banking scenario when customers were sent emails with links to a fake, but identical in appearance, banking website. The customer types in his password and one time passwords, which the attacker then uses to access the bank’s real site. All three are also open to a Trojan scenario when an attacker piggybacks on a user’s session whenever they log onto the bank’s website and conducts fraudulent transactions once in.
Integrated systems Integrated systems aren’t open to the same attacks by using hardware to secure the internet channel. The ‘closed loop’ system uses proprietary technology which can only be used for access to specific items. This is typically used by companies for on-site access to their networks, for example Barclays staff use a smart card to log on to their desktops. The alternative ‘open loop’ system uses existing hardware or tokens, for example EMV cards, to secure the internet channel. Customers are provided with a simple card reader to connect to their PC. By plugging in their EMV card and entering their PIN a customer can perform a full EMV transaction on their own computer. This then allows the customer to identify themselves to the bank using their own credit or debit card. EMV is regarded as one of the more secure forms of encryption available. The benefits of integrated systems is that they can use the most appropriate tokens to hold the EMV application - contact cards in UK and contactless in US. This is particularly important in the UK, with the banks investing hundreds of millions of pounds in upgrading their infrastructure, including the issue of over 100 million chip and PIN cards. This will allow both the banks and their customers the ability to re-use this new technology. Recent advantages in PC and internet technology also make this a much more feasible solution. Most computer users have broadband access, thereby allowing banks the
Card Technology Today May 2006
feature ability to quickly identify their customers using software methods. This also has the advantage in the low cost of investment required for customer support and training as the experience is very similar to that on the high street so it is easy to understand. The banks will only need to issue a cheap card reader for connection to the USB port which can be used with the existing technology available to customers, i.e. their bank cards. This technology also allows banks other benefits, such as the ability to update cards with new PIN numbers should customers forget their original PIN. Another benefit is the cost savings afforded to banks. It has been estimated that it costs a bank between US$3-7 per phone call from an internet banking customer for a lost or forgotten password. The re-use of existing technology reduces the need for different passwords or devices, thus ensuring the customer experience remains consistent. The largest perceived downside of connected card readers is that the PIN is entered into a computer, potentially allowing fraudulent attempts at obtaining a user’s card and PIN details. However, the bank can minimise this risk by ensuring that the PIN is not allowed to leave the computer in an unencrypted form. Any attempted
fraud would also fail as there would still be a requirement to obtain the physical card in order for the fraudulent user to access the genuine user’s internet banking information. In the future we will see the evolution of twofactor develop into three-factor authentications. This is considered to be one of the strongest forms of user authentication available as it involves not only the ‘something you know’ and ‘have’ elements but also ‘something you are’, for example a fingerprint or vein pattern.
Contact methods Despite all this technology a number of banking customers have become concerned about the contact methods used by some banks. Increasingly, banks are contacting customers via SMS or automated phone call. Sometimes customers are asked to dial back on a given number where they are asked for their personal information to identify them as the account holder. Similarly during cold calls, customers are asked to prove they are the named customer on the account - with no similar level of authentication from the bankers. With unsolicited calls singled out as a source of confusion for customers, the process of authentication should be two-way instead of the one–way process it is now. In response to the
South African smart card market set for growth The complex South African market offers significant potential for smart card players in three main areas – telecoms, banking and government. Despite the opportunities, however, there are still significant challenges to face. This article charts the progress of smart cards in South Africa and argues that 2006 could well be a year to remember The South African population witnessed a year of significant change in 1994 with the holding of the country’s first democratic election and the introduction of mobile phones. Both were to have significant consequences. While the subsequent political happenings have been expounded upon no end in the international media, not as much attention has been paid to
Card Technology Today May 2006
the long lasting effects the country’s first widespread interaction with smart cards was to have. As with many African countries, a rather peculiar economic situation is present in South Africa. There are two economies present in the country, the first of these is the formal economy which exists and runs in the same way as those of
usual details that banks expect from us - data of birth and mother’s maiden name, etc - banks should reciprocate by providing, for example, the data of incorporation, the city of their registered office, and corporate founder. From an online banking point of view, twoway authentication refers to the customer authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity. Of the possible two-factor authentication systems available, the integrated connected card reader solution allows this twoway authentication to take place. By only allowing digitally verified applications to interrogate the card, only the banks are able to identify themselves to the customer. This usually happens by the bank writing information from the card to the screen of the user, i.e. the last 4 digits of their card plus their full name. This negates the impact of any fraudulent phishing attacks. Whilst there is no silver bullet for combating fraud, two-factor, two-way authentication solutions will be the key drivers in securing the internet as a trusted channel for banking. This article was provided by Smart Technology Solutions (STS). For further information please visit www.stslimited.com or call Tel: +44 208 680 0252
more developed countries. The second is an informal economy made up of small traders selling products such as fruit, clothes and other small value commodities. There are various factors that led to the establishment of a dual economic system. South Africa is a well developed country with effective infrastructure in place and in fact in this regard resembles more developed countries such as its Western counterparts. On the other hand though, a large percentage of the population lives in poverty and there is much need for economic improvement. This situation has led to a desperate need for entrepreneurship and the resulting establishment of the informal economy. The presence of both of the economies presents the government with a quandary as it tries to allocate resources effectively, while at the same time attempting to regulate various sectors. Smart cards have offered opportunities for growth in both of these sectors.
Application areas There are three main applications in which smart cards function in South Africa – namely telecommunications, banking and government. These markets offer players the most significant
11