Monday, August 07, 2006

Electronic signatures - physical tokens are coming

Last week I was talking about the different mechanisms that could be used by financial institutions to provide electronic signatures for users.

It seems that adoption of some of the more secure mechanisms for authenticating users and signing transactions is accelerating, to supplement the all too easy to obtain username and password credentials.

Electronic signatures replace the traditional wet signature on paper in several scenarios, when the customer:

  • Submits an application form for a new financial product or service
  • Acknowledges consent for a transaction
  • Requests access to online management of the account through a secure web-site
As I discussed in a background post, one of the hardest components of an electronic signature is not so much its use, but its initial creation with the identity of the customer. Once the customer is known and trusted by the institution there are many mechanisms that can be used to provide secure electronic signatures, the complexity and strength required is dependent on the value and risk of the transactions being performed.

Since username/password combinations are not considered particularly strong, either for transaction signatures or for online access to secure web-sites, biometric and smart-card type tokens were discussed. It seems that as they strive for greater online security, two UK banks are introducing token based systems to supplement username/password credential for access to their online banking secure sites and therefore providing more effective non-repudiation of transactions.

Bankwatch discusses two banks, Barclays and Lloyds TSB that are approaching the security issue with security tokens. In addition, the source of the Bankwatch information, the Banks introduce electronic password gadget to beat rise in internet fraud mentions that other UK banks are looking to distribute secure, one time password generation devices, to crack down on the GBP 23 million (approx. USD 40 million) in online fraud, and probably the more worrying abandonment of online services.

The additional security relies on the customer's possession of a physical token that enables him or her to generate a one-time password that is used for access to a specific account. The one-time password prevents phishing-scams, such as an official looking email from a scammer that directs a users to an official looking website requesting the user to log in to manage their account, thus capturing their online credentials, and trojans that read passwords entered into a browser. Even if a scammer gets hold of a user's credentials they are invalid.

Lloyds TSB and Barclays are approaching the tokens from different directions, although aiming to produce the same result:

  • Barclays: Bank card 'chip' reader, where the user pushes their card into a device that confirms their card is valid and generates a password for the web-site
  • Lloyds TSB: Rotating random password generator, key-fob with an LCD display
Both approaches ensure that the customer has the security token in their possession at the time of accessing the web-site.

The bank card approach relies on the European 'chip and PIN' technology that has a secure chip embedded in all credit and debit cards, and does not rely on the easily cloneable magnetic stripe. A single reader could be used by with cards for multiple accounts and provides a familiar approach to most UK and European card users.

The key-fob approach does not need a card reader device to be provided to customers, but does require distribution of battery powered key-fobs that will need to be periodically replaced, and will potentially require a fob to be provided for each account to be serviced online. These devices, like the SecurID from RSA have been trusted for access to secure IT systems for many years.

In the US, the FFIEC has mandated two-factor authentication, recognizing that a username and password pair is not enough security and is subject to trojans and phishing. At this moment the US banks have provided online approaches, not physical devices. Instead they try and offer a second customer visual or memory driven approach to recognizing secure sites.

As with many financial security issues in the US, the cost of infrastructure is often cited as a barrier to change. Perhaps the cost of online fraud and customer mistrust of online services are bigger drivers. By addressing the security of online banking style web-sites with physical tokens, financial institutions also provide an instant solution to providing secure electronic signatures for high value/risk transaction consent.

Technorati tags:


Anonymous said...

What a brilliant concept for a blog, especially if you are in the banking business. It seems step by step we are beginning to see a coalition of banking related sites, and I have teken the liberty of adding you to my blogroll - trust that is ok. And this issue is core to the next level of automation for bank sites.

I firmly believe blogs need a point, and this is what gives them relevance to their audience.


Phil Ayres said...

Colin, thanks for taking a look at the blog and for blogrolling it - that is a bonus!

I keep an eye on the Bankwatch blog as its a great source of information and news. As such I blogrolled you a while back.

I look forward to being able to respond to some more of your posts soon. Real business problems are a great way for me to frame technology solutions, which makes the whole blog writing thing easier!


bad credit car loans said...

great post! thanks for sharing such informative article.

buy here pay here said...

Not so sure that I'm too excited about physical tokens. Would definitely prefer the old fashioned way of transacting!