Authentication

Accurate authentication of customers is mission critical in the financial services arena. But according to Jonathan Gill of Arcot financial services organisations in Europe need to re-evaluate the way they grant customers, as well as all other users, access to information.

All businesses need to secure the integrity of their online business activities, preventing information leakage, sabotage and, most importantly, ensuring that the customer experience is maximised. At the same time, cases of identity fraud are growing – in the UK alone 80,000 people fell victim to it last year, resulting in a £1.5bn bill for the individuals or banks that ended up having to compensate them. And the pressure to ensure that people are who they say they are is forcing financial organisations to re-evaluate how they authenticate users onto their systems.

This is important since any normal visual and behavioural cues supporting the other party's identity that would be present in the physical world, are hidden behind the browser interface. Financial institutions rely on strong but easy to use technology to substitute, supplement and improve our natural capacity for authentication.

Authentication and the problem with passwords
Authentication is the process of verifying the identity of a person. In the physical world, this could be by showing a photo identity or knowing a secret phrase. In the online world, passwords are more commonly used. But passwords have their limitations and are only marginally secure. Biometrics would be the strongest type of authentication (in which devices scan and match users by fingerprints or retina scans), but these are expensive and not currently a practical implementation.

Other, strong authentication solutions are hardware tokens and smart cards. These require users to present ‘something they know’ such as a password or PIN number, with ‘something they have’ such as the smart card or hardware device. This is known as two-factor authentication, and is what most financial organisations are today implementing as an additional layer of security to the single password approach.

In most computer systems and on most web sites today user name and password provides the most basic form of authentication. They are easy to create, easy to manage and deploy and relatively easy to use. However, many users complain that they have to remember too many user ids and passwords forcing them to choose simple passwords, use the same password for several purposes or to write the combinations down. Passwords of this nature are easy to guess. Passwords can be easily lost or stolen, often without anyone noticing. Sometimes people share passwords, or in other situations, someone can get a glimpse. In either case, the keys to the kingdom are lost.

There are other common risks in the authentication process. Fundamentally, risks can be introduced by technology itself or by the way it's used. For example, passwords are relatively secure when used properly, but because they are written down and shared by users, they become insecure and present a risk.

Hackers can also infiltrate authentication processes. If passwords cannot be intercepted directly, they may be using phishing (the practice of tricking users to reveal personal data such as username and password by directing them to a false bank web site) or keystroke logging attacks (where malware is planted on the users’ PC in order to log keystrokes and then send the often sensitive data back to the hacker). They may also intercept and change the communication stream between user and bank (man-in-the-middle attack).

Smart cards
A smart card is a credit card like device containing both memory and a central processing unit (CPU). Smart cards are used to store a person’s credentials or other information. Hardware based tokens are being deployed by some banks. These generate a pseudo-random number, making them virtually impossible to duplicate, but they can be expensive to deploy. A software smart-card is a viable alternative that is more cost-effective than a hardware token and so can be scaled up to millions of users, but is as easy to use as a hardware token with an equally strong method of authenticating users. What’s more, the use of a software smart card preserves the familiar username/password interface so it’s easy for the consumer to use.

Assessing your authentication requirements
The first step is to asses the risk for all your transactions or services. Then, based on that risk, select an authentication method that is as secure as necessary and as convenient as possible for users, while being affordable in terms of time and money. After all, each transaction must happen within tight cost constraints. This might mean that the authentication requirements for low cost transactions differ from those for where the user is moving large amounts of money, such as when buying a car online.

The next step is to implement and operate it in such a way that it's robust against attacks on any part of the process. This could mean that the system fails gracefully if security is not guaranteed. It also includes supporting the user or business partner in maintaining the same degree of security. Supporting systems might provide additional safeguards, such as monitoring user behaviour.

It is simply too expensive, in terms of money but also in terms of time, to deploy the most secure solution everywhere. So taking a layered authentication approach provides the most robust solution. Financial organisations can implement risk-based authentication, which enables them to keep customer transactions simple and can be deployed to limit fraud based on user behaviour. When stronger authentication is required, the financial organisation can implement strong, but cost-effective security solutions, such as a software smart card, that keep the fraudsters at bay and prevents phishing and man-in-the-middle attacks from being successful.

Jonathan Gill is managing director at Arcot UK Ltd, part of Arcot Systems Inc. Gill joined Arcot in May 2006, having previously been at IBM Software Group and Integralis. He has a wealth of  leadership experience and a track-record of growing new business across a broad range of technologies.

Arcot is a leading provider of risk-based authentication, strong authentication, digital signature, and secure e-payment solutions. Financial institutions, pharmaceuticals, and Internet shopping sites use the company’s easily-deployed, cost-effective, and scalable software-based authentication products to limit online transaction fraud. Its products also enable advanced online functionality, such as the self-service issuance of roaming credentials and secure electronic document delivery. The company has its software solutions deployed worldwide.

Arcot was co-founded in 1997 by current president and CEO Ram Varadarajan, and is based in Sunnyvale, California with a technology centre in Bangalore, India. The company holds 12 patents in the areas of cryptology, encryption, multi-party authentication, and one-time-password technology.