Hong Kong’s smart ID cards secure online banking
Government-issued IDs flourish as private-sector security token
By Marisa Torrieri, Contributing Editor, AVISIAN Publications
In some parts of the world, the acceptance of token-based authentication is slow and requires prodding from service providers, but in Hong Kong the use of smart cards and tokens is flourishing as consumers use the technologies for digital banking and other services.
Nearly three years ago the Hong Kong government issued a law that would replace traditional identification cards with smart versions, primarily for more secure identification and immigration control. The cards, which cost the Hong Kong Special Administrative Region $21 million U.S. dollars, will be held by all citizens by mid-2007. In February 2003, an international consortium of technology companies led by Pacific Century Cyber Works Limited (PCCW) won the contract to provide the cards, system, and services for the government.
Today, thousands of citizens have not only completed this process, but have caught onto using the smart cards for non-mandatory functions, namely digital commerce.
Since the card mandate, there has been a rapid public acceptance of the technology for online banking in Hong Kong, says Gilbert Leung, Senior Sales Manager for smart card reader manufacturer Advanced Card Systems Ltd. (ACS).
ACS announced last month that it has already received orders for 60,000 smart card readers embedded with The Hong Kong Post e-Cert – the digital certificate technology that secures the online applications. According to Leung, about 4.8 million personal banking transactions were processed through personal Internet banking every month during 2003, the year the Smart ID surfaced, representing a 30 percent increase over the prior year. Additionally, the number of transactions processed through business Internet banking every month has increased five-fold since 2002, he says (more current data is not yet available).
Nearly a dozen banks already employ two-factor authentication tools like e-Cert for high-risk online banking transactions, in accordance with guidelines from the Hong Kong Monetary Authority (HKMA). Bank of America (Asia), BOC Credit Card (International) Limited and Bank of China (Hong Kong) are among the first to announce their use of ACS’ ACR30 smart ID card reader, Mr. Leung says.
Inside the chip: e-Cert technology fuels digital banking
Today, card-bearing citizens who want to engage in digital commerce can use the e-Cert on their smart IDs. E-Cert, in short, is the security layer that enables cardholders to perform electronic transactions and online banking. It’s free for one year, after which the government charges a subscription fee, according to http://www.smartid.gov.hk/en/index.html, the government’s web site devoted to the initiative.
“Through the [one year e-Cert program], more than 950,000 local residents have already embedded Hong Kong Post e-Certs in their smart ID cards,” says Leung, adding that e-Cert-infused smart cards have “become the most widely recognized and readily available two-factor authentication tool owned by consumers in the market.”
Hong Kong sets example but will the world follow?
Will others follow Hong Kong’s example issuing a national ID but encouraging its use for online authentication in the private sector? Yes and no, say experts and analysts following what’s happening in Hong Kong, and in Singapore, which mandated banks to implement two-factor authentication.
In Hong Kong, citizens must, at a minimum, carry the technology or face monetary penalties. While the United States has the newly-issued Federal Financial Institutions Examination Council guidelines, it only suggests banks move to two-factor authentication. Mandating that all citizens carry the token is another matter altogether – one that has certainly helped the Hong Kong program to thrive.
“I think markets like Singapore and Hong Kong can do that because they’re smaller and more contained,” says Kerry Loftus, director of consumer authentication services for VeriSign. “Consumers are more acclimated to incidents of fraud and banks can pass off costs. There’s already buy in from that side that ‘this is added security, this is a good thing.’ Here in the U.S., they’re more resistant – you don’t incur any costs if someone grabs your credit card. Consumers here aren’t feeling the brunt of fraud. It’s quite different.”
It will take several years before similar smart-card technology enjoys the equivalent use in the United States, says George Tubin, senior analyst for TowerGroup, who covers strong authentication and smart card markets.
“The smart card approach works when either the government or an industry, consortium sponsors and supports its development and implementation,” says Mr. Tubin, referring to Hong Kong’s approach, as well as that of the other Asian and European nations.
“It’s very expensive and cumbersome to implement and maintain this type of approach and a single bank would typically not want to involve the resources – both monetary and staff – to support it. Once a group of interested parties come together to share the costs, it makes more sense.”
Additional resources:
To visit the Hong Kong ID card program on the web, click here.
To visit Advanced Card Systems on the web, click here.