The trusty telephone is emerging as one of the key elements in new
multifactor authentication schemes designed to protect online banking
and other web-based financial transactions from rapidly evolving security threats.
New federal guidelines, which took effect last month, recommend
multiple layers of security controls beyond the traditional
username/password, particularly out-of-band authentication methods.
While the Federal Financial Institutions Examination Council (FFIEC)
rules apply specifically to banks, credit unions, mortgage lenders, and
savings and loans, every organization that deals in online financial
transactions such as shopping portals, credit card companies, online
bill payments, etc. is affected.
Point, counterpoint
One of the main weapons in the today's hacker arsenal is password phishing. In this scenario, hackers use phishing emails to steal online banking credentials and break into user accounts.
In response, banks and other financial institutions have deployed
technologies like device identification, challenge questions and
one-time password tokens, according to Sarah Fender, vice president of
product management at authentication vendor PhoneFactor.
Forrester analyst Andras Cser emphasizes that login IDs and passwords
are no longer enough. He says preselected images, challenge questions,
device information, and device reputation are all effective second
factor authenticators.
But the problem with many of those "in-band" authentication methods
is that the device itself might be infected with malware, adds Fender.
Plus there are more advanced threats, such as keyloggers, Man in the
Browser (MITB) and Man in the Middle (MITM) attacks, which require even
more sophisticated security measures.
Gartner analyst Ant Allan says, "Virtually every authentication
technique can be compromised or circumvented. Authentication is better
than legacy passwords to minimize the risk for 'quick and dirty' attacks
such as phishing, but there is a limit to the utility of seeking
higher-assurance methods that are harder to compromise directly. At some
point, the attackers will move to MITB attacks, which hijack already
authenticated sessions, effectively bypassing authentication, to
manipulate transaction details or insert bogus transactions."
Allan says there are two advanced technologies that are effective in
combatting the current crop of attacks: Web Fraud Detection and
Transaction Verification.
According to Allan, Web Fraud Detection evaluates contextual
information about the user's connectivity (endpoint identity, geographic
location, and so on) and looks for anomalous transactional behavior
(compared to user history and to other users; e.g., are multiple users
making transfers to the same new account?). (See "Well organized, sophisticated, fast cybercriminals scare U.S. banks".)
Transaction Verification uses a number of techniques to confirm that
the transaction details received by the bank (a) originated with the
user and (b) are what the user intended. Interactive transaction
confirmation via an out-of-band method, as outlined in the FFIEC
guidance, is effective for desktop browser sessions and is possibly the
most attractive option.
Of course, there are even more robust security methods -- OTP
(one-time password) hardware tokens with PIN pads and the EMV (Europay,
MasterCard, Visa) payment card readers - but banks have run up against
customer resistance to these types of security measures.
State-of-the-art authentication
Here are some of the current options for effective authentication of online transactions.
- Risk-based authentication
An example of risk-based authentication is CA Arcot's RiskFort, a
sophisticated tool that incorporates analytical fraud models based on a
statistical analysis of transaction and fraud data.
"RiskFort collects a wide range of data about each login or
transaction to produce a risk score derived from analytics and rules,"
says Ram Varadarajan, general manager at CA Arcot Security solutions, CA
Technologies.
He adds, "The risk score determines what action, if any, to take for a
given transaction, such as requiring a higher form of authentication.
This is a scenario where risk-based authentication works collaboratively
with strong authentication. If a transaction appears suspicious,
another factor of authentication can be invoked to 'step up' the
authentication and security."
- Versatile Authentication Platforms
Entrust offers IdentityGuard and TransactionGuard. "IdentityGuard
handles strong authentication in breadth as well as depth. It supports
hard tokens, soft tokens, smart cards, SMS tokens, geo-location, eGrids,
and more. Authentication could be relatively simple for clients using
their own computers from their own homes, but increases in depth if they
are using a hotspot, and even more if they are in another country,"
says Jon Callas, CTO at Entrust.
One improved technology is Entrust's patented electronic grid
(eGrid), a simple, two-factor authentication system that requires little
to no supporting technology. It's a grid of two-character codes indexed
by letters and numbers. A bank can ask a user; for example, to provide
the codes for E4, A1, H3. The user looks them up on his/her eGrid and
replies CX, G3, 23 (which is, obviously, different on every card), and
if the corresponding table matches, then the authentication is correct.
"Note that it doesn't require users to have a smart card, a token, or
any other supporting technology," adds Callas. "It can be printed, kept
as a picture, embossed on a badge or almost anything else. I have one
that's a picture, which I keep on my iPhone, and I use it to authenticate to web mail."
- Phone-Based Authentication
"Phone-based authentication is swiftly becoming the method of
choice," says PhoneFactor's Fender. "These systems leverage the user's
telephone as the trusted device for the second factor of authentication.
Telephones are extremely difficult to duplicate and phone numbers are
extremely difficult to intercept. The combination of the phone and a
username with password yields strong, multi-factor authentication with
minimal impact on the user experience."
She adds, "PhoneFactor users can choose whichever authentication
method they prefer such as phone call or text message, and all these
solutions provide the same level of out-of-band security and
convenience. Additional security features include PIN mode, voiceprint,
and transaction verification, which can be mapped to particular users
and/or levels of risk.''
- Image-Based Authentication
One clever, new technology by Confident Technologies uses images on a
touch screen phone for authentication. Unlike multi-factor
authentication processes that send a one-time, text message, pass code
to the user's phone, this technology provides a secure second factor by
encrypting a one-time pass code within an image-based authentication
challenge.
"When an authentication requirement is triggered, users identify
pictures on their phone screen that match their previously selected,
secret categories," says Curtis H. Staker, CEO at Confident
Technologies. "For example, if a user preselects the categories called
cars, food, and dogs, a grid of 12 (or so) images appears that contains
various images, three of which fit their categories such as a Corvette, a
hamburger, and a beagle. By correctly identifying the pictures that
match their secret authentication categories, users are, essentially,
re-assembling the one-time pass code that was encrypted within those
pictures. Importantly, the process remains completely out-of-band from
the web session."
"This concept of image categories is intriguing," says Scott
Crawford, managing research director at Enterprise Management
Associates, "Particularly for mobile or touch screen form factors (where
text input can be a challenge) and for cross-cultural or multi-language
use cases, but the technique may beg the question as to whether or not
users can consistently remember the categories they have chosen."
Staker adds that the specific images displayed are different every
time, but the users' categories always remain the same. ``This makes it
difficult for anyone else to determine the users' secret categories.
Even if someone else gained possession of the mobile phone or
intercepted the communication, they would not be able to authenticate
because the one-time password is encrypted within the images," adds
Staker.
- Biometrics
Biometrics
include authentication properties such as face recognition, fingerprint
identification, hand geometry biometrics, retina scan, iris scan,
digital signatures, and voice analysis.
"I'm not sure if biometrics is considered new, but it's definitely
improved, and it's an area that ebbs and flows, as far as interest is
concerned," says Chris Silva, mobile industry analyst at Altimeter
Group. "The newest buzz in biometrics that's garnering attention in the
mobile space is facial recognition. It has a lot of promise for the
devices that we all carry around with us, which have limited physical
keyboards (or none at all) and often need to be accessed while we're
multi-tasking,"
"Voice recognition, face topography, and iris structure are emerging
technologies that also look attractive when you can leverage a user's
mobile phone as a capture device (all have mikes and most have
user-facing cameras)," adds Allan. "Most of these technologies are
relatively passive and unobtrusive, making for a good user experience."
Many companies are experimenting with biometrics as an additional
layer of security; for example, PhoneFactor uses Voiceprint Verification
as a third factor of authentication on top of its other offerings.
"Using an existing voice channel, PhoneFactor simultaneously verifies
something you have (your telephone) and something you are (your
voiceprint) for the second and third factors of authentication," says
Fender. "Voice verification provides one of the strongest levels of
authentication without the high costs typically associated with
biometric authentication."
No comments:
Post a Comment