By Jose Diaz and Nesic Dragoljub, Thales e-Security
The current needs and demands for authentication and identity management show huge variations around the world. One thing that is common across all regions, however, is the ever-increasing requirement to prove that you are who you say you are in the face of rising security threats, such as fraud and phishing. According to CIFAS, the UK’s Fraud Prevention Service, the number of victims of identity theft was up by 19.91% (at 67,406) compared to 2005. To combat this crime and secure against wider identity theft threats, there are several technologies that strengthen authentication security, some of which have already been deployed and are showing signs of success in the fight against fraud.
Perhaps one of the most successful schemes to date is the UK’s Chip and PIN initiative which uses the EMV standard to secure cardholder-present transactions. Almost a year on from its mandatory introduction, APACS, the UK payments association, reported that thanks to Chip and PIN, there was a reduction of nearly £60 million in counterfeit and fraud on lost and stolen cards in 2005 compared to 2004 (a drop of 24%). To date, two-factor authentication is only implemented for face-to-face transactions and there is still much progress to be made securing cardholder-not-present banking and transaction channels in the UK.
Contrary to the compulsory approach the UK has taken, the US is regarded to have responded with a softer solution that is aligned to customer demand. Currently, introduction of EMV cards is only being considered for international customers who are finding it increasingly difficult to make payments in countries like the UK that require a secondary factor, over and above magstripe and signature authentication. Strengthening internet transactions, on the other hand, has become a priority in the US and in 2005, the Federal Financial Institutions Examination Council (FFIEC) issued guidance stating that US banks should undertake a risk-based assessment of the processes in place to manage and authenticate identities by the end of 2006. Following FFIEC concerns that single-factor authentication was no longer sufficient, banks must satisfy the FFIEC that the security adequately protects customers, not only on their internet banking but also telephone banking channel.
A further example of the diverse approaches to security can be found in the Far East and Eastern Europe, where banks are incorporating mobile authentication into online transaction security. Mobile communication via SMS is highly popular in these regions and is therefore considered an extremely viable option for securing online transactions.
Taking a snapshot of the current identity management marketplace, it is clear that there is no one accepted standard of strong authentication. Rather, there are a variety of different approaches implemented by financial bodies around the world, each with their own pros and cons. In this current climate of identity theft, how will emerging challenges in 2007 threaten the efforts and current technologies in place to combat identity crimes and how can the industry respond?
The trend for conducting online transactions around the world is unrelenting, proving consumers are not yet deterred by the risks associated with Internet banking. Whilst the direct cost of fraud for banks is not great enough to justify the cost of investing in the technology required to combat it, banks also need to protect themselves against the knock-on effects of this crime, such as damage to brand, reputation and customer satisfaction. Loss of confidence would also result in customers reverting to more expensive means to conduct business, such as through the branch or writing cheques. These factors will prove to be an important driving force for the adoption of two-factor authentication by banks in 2007.
In addition to concerns related to brand equity, 2007 will also see legislation driving banks’ identity management solutions. In the Far East, governments already have or are currently introducing legislation to force banks to provide strong, two-factor authentication to their customers – Thailand, India and Hong Kong are good examples. Elsewhere, regulation could force banks to consider the need to address the security levels they currently have in place.
The faster payments initiative in the UK is one such example and could prove to be the tipping point for mass roll-out of two-factor authentication the industry requires. Due to come into force in the UK in November 2007, faster payments has been designed to speed up the processing of low value, person-to-person transactions, from the current three-day period to same day transactions. This near real-time transaction processing approach by banks is aimed at improving customer satisfaction and acknowledges the growing use of alternative payment channels such as the internet and telephone. However, this will pose severe challenges to banks’ authentication techniques. Put simply, banks’ current risk modeling systems are not up to the challenge of receiving a payment instruction from a variety of different channels and strongly authenticating that person within the 15-second transaction processing time limit that faster payments will enable.
The solid business case for investing in two-factor authentication that faster payments has provided is an unexpected knock-on effect of the initiative. While always generally supportive of the benefits two-factor authentication can bring, especially in the battle to fight cardholder-not-present fraud, banks have lacked any immediate incentive until now. Faster payments fundamentally changes this as when it goes live in the UK in November 2007, the member banks will be instantly vulnerable.
Banks in the US are also faced with the security implications of new legislation. The risk assessments imposed by the FFIEC will mean that banks face a number of compliance checks in 2007, subsequent to the December 2006 deadline. The FFIEC will need to establish whether banks have correlated the risk of certain transaction types with the security they require to conduct them.
Akin to the majority of the world’s regulatory bodies, the FFIEC has not pinpointed how stronger security must be achieved for Internet and telephone banking, citing two-factor authentication as just one of several possibilities. Combining this flexible approach with US consumers’ desire for simple, convenient banking, the current trend in the US is to supplement Internet and telephone-based transactions with layered security, as opposed to the more expensive solution of hardware such as a smart card reader or another challenge-response token. Layered security is achieved through answering pre-registered personal questions. This can also be complimented with behaviour-orientated security, such as banks authorising only one IP address to prove the transaction is originating from your personal computer.
By using methods that require customers to submit additional personal data to banks, as opposed to issuing hardware such as smart card readers, banks are increasing their duty to safeguard and protect this information from fraudulent use. Management of risk is driving the process to strongly authenticate, yet ironically the introduction of layered security poses a greater threat to risk models, particularly concerning internal fraud. 2007 will witness US banks’ close adherence to the PCI (Payment Card Industry) standards for data security and will require them to carefully examine their internal information management infrastructure to insure this highly confidential information is sufficiently protected.
The reluctance of banks in the US to issue security hardware to their customer is not only a cost consideration. The trend the world over is for simple and accessible banking, and this is particularly acute in North America. Current consumer demand for quick and easy payments is clear from the success of contactless card uptake across the continent. In the same way banks yielded to this consumer pressure, they do not wish to burden their customers with a physical item that must be present as well as their bank card to make a payment, yet they are acutely aware of the risk that must be managed.
One option for the North American market that may show promise in 2007 is the use of mobile phones as an authenticating device, as seen in the Far East and Europe. There are features that make it an attractive option for banks as well as convenient for consumers including its ubiquitous use and penetration in the market, convenient handling and zero distribution costs. SIM cards are the largest application of smart card technology in the world so there is value for banks in harnessing their growing processing power to perform other tasks such as identity authentication. There are many trials currently being undertaken in the US that could lead to the implementation of such solutions in the near future. A barrier to the adoption of this technology to date has been the need to foster partnerships across the banking and telecom sectors. However, with mounting pressure to address heightened security in a straight-forward manner, mobile authentication has the right criteria to satisfy both banks and consumers in the near future.
Contrary to the US, the success of EMV in the UK has resulted in positive consumer opinion towards smart card readers and the concept of utilising a token to authenticate payments. As industry chatter about two-factor authentication continues to build momentum this year, providing each customer with a smart card reader is an avenue that is proving to be popular. With the support of APACS, 2007 will see the highest commitment from banks to providing their customers with two-factor authentication. Barclays appears to be leading its competitors by stating it will begin to offer online banking customers handheld card readers this year. As these trials proliferate in the UK, it is likely that a wave of implementation will emerge as banks strive to at least keep up with their peers.
Although the banking industry the world over is facing the same challenges, the marked differences in approach prove as strong as ever before. The demands made on identity management solutions will continue to rise in line with the problems that are driving banks to seek stronger authentication, ultimately forcing banks to deliver more secure systems that protect consumers across all banking channels.
This article was prepared for SecureIDNews by Jose Diaz, US director of technical and strategic business development, Thales e-Security, and Nesic Dragoljub, UK head of professional services, Thales e-Security.