Re-load – essential ammunition in the fight against cyber-crime

This is a problem that is increasing dramatically in tandem with the huge popularity of electronic banking and e-commerce, which now represent a significant share of the global economy and an attractive target.

Stronger client authentication makes it harder for a fraudster to steal and use a customer’s credentials and to gain access to online banking activities such as funds transfer, bill payment, and stock and bond purchases; as well as e-commerce activities, principally the sale and purchase of goods online. However, without strong mutual authentication (where not only the financial institution is confident they are connected to a real customer, but the customer is also similarly assured they are connected to the real financial institution), cyber-crime and identity theft will continue. For example, spoof websites and fraudulent e-mails, if not checked, can still coax a consumer to provide their credentials and other sensitive personal information. Even if those credentials are rendered unusable when accessed from a different PC and/or IP address, other sensitive personal information from the unwitting consumer can be used by fraudsters. This may be used to take over that consumer’s identity and open accounts, get loans and perform other such fraudulent activity. So better mutual authentication is necessary in the fight against cyber crime. Without it, the form of the fraud may change, but fraud itself will continue.

Simply stated, better mutual authentication occurs when the consumer is confident they are dealing with a legitimate website or e-mail, and the financial institution is certain they are dealing with the real customer before there is an exchange of sensitive information, including authentication credentials, and before any access privileges and authorization is granted. There are various factors that need to be addressed by any successful better mutual authentication solution.

You cannot compromise on convenience
Consumers are slow to change and won’t alter their behaviour unless there is real perceived value and/or increased convenience to doing so. Most consumers are still not concerned about security to the point that they are willing to accept increased cost and inconvenience. While cyber crime is on the rise, it has still only impacted relatively few people (and even fewer actually suffer financial loss due to protection by financial institutions and government). Most consumers, therefore, are not yet sufficiently motivated to change their behaviour or to accept inconveniences for the sake of greater security.

Cost-effective and flexible
It is also difficult for financial institutions to justify the increased cost of new authentication technology solutions, and they are faced with a growing diversity of authentication technology solutions, of varying strength. Any solution must be able to accommodate end-user choice and should be designed to be future-proof in order that the solution can counter new threats and take advantage of and accommodate new and better authentication solutions as they are introduced. For example, many new authentication solutions may suddenly take hold (e.g. National Identity cards, Trusted Computing Modules, Microsoft’s InfoCard and Advanced Password Management products), and we want the opportunity to take advantage of and incorporate these solutions as they enter the mainstream.

In the mix
It is important to remember that there is no one silver bullet authentication technology. A good mutual authentication solution needs to employ several authentication technologies across the four dimensions of:
•Shared secrets (e.g. passwords)
•Electronic credentials (e.g. smart cards, tokens)
•Alternate channels (e.g. telephone call back)
•Contextual analysis (e.g. behavioural analysis)

In addition, one needs to fix software vulnerabilities in the operating systems and applications (e.g. browsers).

Sharing and partnership
When customers are required to use hardware devices for authentication, the solution should support sharing across financial institutions for greater user acceptance, so that the user doesn’t have to carry around a ‘necklace’ of hardware tokens.

Better mutual authentication cannot be achieved by financial service firms alone; the solution must work on the computers, end user devices, and communications services that are independently bought by the consumer. Therefore, the solution has to be developed in partnership with these vendors and service providers.

Managed access
The better mutual solution also needs to address the needs of customer agents for authentication, and must have the ability to grant these agents limited authorisation authority. Accordingly, the financial institution should be able to distinguish between customers and their agents. Furthermore, when there are multiple customers on the same account (e.g. husband and wife, parent and child), the organisation should be able to distinguish between the primary account holder and another valid account member.

This article highlights some of the issue raised in the FSTC Better Mutual Authentication (BMA) Project. Among other things, the project has issued reports that describe these requirements in more detail, along with an architectural framework into which authentication solutions can be fit. These reports are available from the FSTC website, www.fstc.org.