It seems that adoption of some of the more secure mechanisms for authenticating users and signing transactions is accelerating, to supplement the all too easy to obtain username and password credentials.
Electronic signatures replace the traditional wet signature on paper in several scenarios, when the customer:
- Submits an application form for a new financial product or service
- Acknowledges consent for a transaction
- Requests access to online management of the account through a secure web-site
Since username/password combinations are not considered particularly strong, either for transaction signatures or for online access to secure web-sites, biometric and smart-card type tokens were discussed. It seems that as they strive for greater online security, two UK banks are introducing token based systems to supplement username/password credential for access to their online banking secure sites and therefore providing more effective non-repudiation of transactions.
Bankwatch discusses two banks, Barclays and Lloyds TSB that are approaching the security issue with security tokens. In addition, the source of the Bankwatch information, the Scotsman.com: Banks introduce electronic password gadget to beat rise in internet fraud mentions that other UK banks are looking to distribute secure, one time password generation devices, to crack down on the GBP 23 million (approx. USD 40 million) in online fraud, and probably the more worrying abandonment of online services.
The additional security relies on the customer's possession of a physical token that enables him or her to generate a one-time password that is used for access to a specific account. The one-time password prevents phishing-scams, such as an official looking email from a scammer that directs a users to an official looking website requesting the user to log in to manage their account, thus capturing their online credentials, and trojans that read passwords entered into a browser. Even if a scammer gets hold of a user's credentials they are invalid.
Lloyds TSB and Barclays are approaching the tokens from different directions, although aiming to produce the same result:
- Barclays: Bank card 'chip' reader, where the user pushes their card into a device that confirms their card is valid and generates a password for the web-site
- Lloyds TSB: Rotating random password generator, key-fob with an LCD display
The bank card approach relies on the European 'chip and PIN' technology that has a secure chip embedded in all credit and debit cards, and does not rely on the easily cloneable magnetic stripe. A single reader could be used by with cards for multiple accounts and provides a familiar approach to most UK and European card users.
The key-fob approach does not need a card reader device to be provided to customers, but does require distribution of battery powered key-fobs that will need to be periodically replaced, and will potentially require a fob to be provided for each account to be serviced online. These devices, like the SecurID from RSA have been trusted for access to secure IT systems for many years.
In the US, the FFIEC has mandated two-factor authentication, recognizing that a username and password pair is not enough security and is subject to trojans and phishing. At this moment the US banks have provided online approaches, not physical devices. Instead they try and offer a second customer visual or memory driven approach to recognizing secure sites.
As with many financial security issues in the US, the cost of infrastructure is often cited as a barrier to change. Perhaps the cost of online fraud and customer mistrust of online services are bigger drivers. By addressing the security of online banking style web-sites with physical tokens, financial institutions also provide an instant solution to providing secure electronic signatures for high value/risk transaction consent.