What role does authentication play in securing financial transactions?

Jenny Dugmore, CEO

For the financial industry, there is a clear need to ensure that transactions are conducted securely and only by authorized parties.

Communication methods such as Web Services are gaining momentum and are becoming part of trading and banking applications, exposing institutions to a growing list of sophisticated web-based threats, such as XML poisoning and injection payloads. Then there is an ever-growing number of attacks such as phishing, spear-phishing and Man-in-the Browser attacks, all with the objective to steal consumers credentials and identities. Mobile banking is also a growing sector that allows financial institutions to benefit from the pervasiveness of mobile phones and the fact that more people own a mobile phone than a computer.

In this landscape, trust in the identity becomes increasingly essential. Without trust in identity, consumer protection cannot be guaranteed, and without proper authentication, neither the financial institution, the merchant nor the consumer can be sure that valid transactions are being made.
 
Most banks currently use strong authentication mechanisms for this purpose, and many of them have adopted two-factor authentication. FireID’s focus is on providing strong authentication via a simple, convenient and cost-effective means.

What steps are most financial organizations taking today for authentication?

A common technology used for the delivery of one-time passwords, or OTPs, is short message service. Because it is available in nearly all handsets, short message service, or SMS, has the potential to reach all consumers. The cost of each SMS message adds up the more often that one needs to request an OTP and thus might not be suitable for some enterprises.

OTP over SMS is also encrypted using a standard that several hacking groups report can be successfully decrypted within minutes or seconds, or it might not be encrypted by one's service-provider at all. In addition to threats from hackers, the mobile phone operator becomes part of the trust chain. In the case of roaming, more than a single mobile phone operator has to be trusted. On top of this, SMS-based OTPs are vulnerable to SIM swaps.

If network connectivity is not available to the end-user  they are unable to receive the SMS and cannot authenticate themselves. Some vendors offer pre-loaded SMS tokens mainly used to address situations in which no network coverage is available. These preloaded tokens cannot be encrypted on the mobile phone unless an application such as FireID’s mobile application is loaded on the phone. 

Physical hardware tokens are another authentication tool used by some financial services organizations. These devices must be carried around by users and many find them to be inconvenient. They are also frequently lost or forgotten, and users can be denied critical access if they do not have the device with them at the time that authentication is required.

Paper-based tokens are echanism used by many banks in central Europe. These tokens are delivered on a sheet of paper, also called a TAN sheet, to verify individual transactions.
The most cost-effective OTP solutions are those that generate OTPs on a device that someone already owns, such as the mobile phone. These systems avoid both the costs associated with issuing, and re-issuing, proprietary electronic tokens and the cost of SMS messaging.

How has the nature of authentication changed for financial companies?

The fraud business targeting online transactions and credit cards has become far more lucrative for criminals than the drug business. Identity theft is a big issue and we will all have to be more cautious with the credentials that make up our identity, both in the real and online world. Industry and government regulations help to increase awareness and force companies to address some of the most obvious risks by implementing best practices, such as King III, POPI, and PCI, but there is still much work to be done.

Recent phishing attacks have called into question the use of OTP, but organizations must realize that security is a process that cannot be achieved by one technology alone. Tokens can’t be relied upon as the only security solution for online banking since they don't close the loop. With OTPs, the banking service can confidently confirm that the user credentials entered truly are identification for the customer. However the customer still doesn’t know that the site he is entering this information into is real.

Our solutions however go a step further in addressing the above issues within online banking scenarios and ensure that the FireID one time password generator  will always log the user into the correct mobile website avoiding phishing attacks. 

What steps can financial companies take to stay ahead of these new attack methods and protect their users?

Companies should consider both out-of-band and mobile web authentication techniques to protect transactions against evolving financially motivated attacks.

Out of band authentication can be used to verify and authorize transactions by generating a one-time-password based on the values making up the transaction itself, such as the recipient and amount. This will ensure that the integrity of the actual transaction won’t be jeopardized and in cases where the user authentication was compromised or hijacked financial transactions cannot be performed. The one-time password as the basis of a two-factor authentication can hence be used to address needs such as transaction verification and/or authorizing batch transactions. 

Using something the end-user already has, a mobile phone, FireID provides a secure and easy way to ensure that only legitimate payments are made. The FireID Transaction Verification application generates a unique code for each transaction. The code is generated on the end-user’s mobile phone, completely independently of a web browser that could be compromised. This ensures protection against man-in-the-browser, or man-in-the-middle, attacks.

FireID’s “Mobile Web authentication” provides another efficient solution. The FireID application logs the user directly via their device into the secure mobile website with a single click and without the user having to type in the OTP or website. The token acts as a direct link to the website but with the added benefit of an automatic authentication process. The user is authenticated by means of a hidden OTP transfer after which the user is directed to the site. In effect the user will have the benefit of two-factor security but without the need to enter an OTP. Since the website location is loaded into the FireID application, this process ensures the mobile application will always log the user into the correct mobile website avoiding phishing and man-in-the-browser attacks.