Prevention and protection

By Jenny Dugmore

Jenny Dugmore reveals the importance of authentication to ensure against identify theft.

What role does authentication play in securing financial transactions?

Jenny Dugmore. For the financial industry, there is a clear need to ensure that transactions are conducted securely and only by authorized parties. Web services are gaining momentum and becoming part of trading and banking applications, exposing institutions to a growing list of sophisticated web-based threats. There is also a growing number of attacks such as phishing, spear-phishing and man-in-the-browser attacks, which seek to steal consumers credentials and identities. Mobile banking is another growing sector that allows banks to benefit from the pervasiveness of mobile phones.

In this landscape, trust in identity is essential. Without trust, consumer protection cannot be guaranteed. Without proper authentication, neither the financial institution, the merchant nor the consumer can be sure that valid transactions are being made.
 
Most banks currently use strong authentication for this purpose, and many have adopted two-factor authentication. FireID provides strong authentication via a simple, convenient and cost-effective means.

What steps are most financial organisations taking today for authentication?

JD. Short message service is a common technology used for the delivery of one-time passwords, or OTPs, because it is available in nearly all handsets and has the potential to reach all consumers. The cost of SMS messages adds up, so it might not be suitable for some enterprises.

OTP over SMS also uses an encryption standard that several hacking groups report can be decrypted within seconds, or some service-providers may not encrypt it at all. Besides hacker threats, the mobile phone operator becomes part of the trust chain – or multiple operators when a user is roaming. Also, users cannot authenticate themselves if network connectivity is unavailable.

Physical hardware tokens are another tool used by some organisations. Users must carry these devices and many find them to be inconvenient. They’re frequently lost or forgotten, and users can be denied critical access if they don’t have the device with them when authentication is required.

The most cost-effective solutions generate OTPs on a device that someone already owns, such as the mobile phone. These systems avoid the costs associated with issuing, and re-issuing, proprietary electronic tokens and the cost of SMS messaging.

How has the nature of authentication changed for financial companies?

JD. Online and credit card fraud is now more lucrative for criminals than the drug business. Identity theft is a big issue and we have to be more cautious with the credentials that make up our identity, both in the real and online world.

Recent phishing attacks have called into question the use of OTP, but organizations must realise that security can’t be achieved by one technology alone. With OTPs, banks can still confidently confirm that the user credentials entered truly are identification for the customer. However the customer still doesn’t know that the site he is entering this information into is real.

Our solutions go a step further in addressing the above issues and ensure that the user will be logged into the correct mobile website avoiding phishing attacks. 

What steps can financial companies take to stay ahead of these new attack methods and protect their users?

JD. Companies should consider both out-of-band and mobile web authentication to protect financial transactions.

Out-of-band authentication verifies and authorises transactions by generating OTPs based on the details of the transaction itself, such as recipient and amount. This ensures the integrity of the transaction won’t be jeopardised if the authentication is compromised or hijacked. This method can hence be used to address transaction verification and/or authorising batch transactions. 

Our Transaction Verification application generates a unique code for each transaction on the user’s mobile phone, independently of a web browser that could be compromised. This protects against man-in-the-browser, or man-in-the-middle, attacks.

FireID’s Mobile Web logs the user directly via their device into the secure mobile website with a single click and without the user having to type in the OTP or website address. Users are authenticated by a hidden OTP transfer and then directed to the website. This process ensures the mobile application will always log the user into the correct mobile website avoiding phishing and man-in-the-browser attacks.