Last updated: 19 March 2014
Adding an additional security device into online banking at the client’s own PC, commonly referred to as multi-factor authentication (see the Wikipedia description), significantly changes the game for cyber criminals. This might take the form of a bank-issued smart card and individual reader or a USB token that the bank customer uses when online.
If the security device must be present during logins and transactions, hackers will no longer be able to simply steal passwords or shared secrets, or even hijack sessions. This is not to argue that every online transaction should include a security device. eBankers will certainly want to limit their use of higher levels of security to high-value, high-risk or unusual transactions.
Multi-factor authentication can be done very simply with a secure external device. The fact that it is not connected to the PC keeps it completely isolated and safe from hackers. It also makes it easier for banks and their customers to implement. Nevertheless, an external device can deliver a high level of protection for online banking customers. Since Barclays deployed smart card readers to authenticate online customers,
“Phishing attacks decreased dramatically against Barclays whilst increasing to an all-time high for the U.K. banking industry,” reported Sean Gilchrist, the bank’s digital banking director in an article from Bank Systems & Technology.
Another example is Gemalto’s Ezio Dynamic Signatures. During banking login and for any significant transaction, the customer is prompted to enter a unique digital signature, or number, as part of the authentication or transaction confirmation. The customer enters transaction-specific information into the security device to get the digital signature, and then enters it in the browser for bank verification. This “what-you-see-is-what-you-sign” mode means the user can review and approve the details of every transaction.
The use of Dynamic Signatures can scale based on the bank’s policies. The bank host triggers the Ezio Dynamic Signature device to set the appropriate security level for each and every transaction. When needed, each Ezio Dynamic Signature can be unique, providing legally irrefutable proof that the device and the device owner are present, even for online transactions.
Often referred to as transaction verification, this is a very high barrier to the most insidious forms of online fraud, such as man-in-the-browser attacks, that hijack online banking sessions. Dynamic Signatures work because the online banking client sees every transaction, even fraudulent ones, and either approves it with a legally non-reputiable signature or spots it as fraud and sounds the alarm bells. If someone has hijacked a PC or stolen login credentials and is attempting to put false transactions through during an online session, they will be unable to complete them without the code from the security device.
Other options exist to provide higher levels of convenience, such as the Ezio Thin Optic, which adds the capability to optically scan the transaction details and challenge from the host on the PC screen, increasing user convenience.
See parts 1, 2 and 3 of the 5 reasons banks should deploy digital security devices and also visit www.ebankingsecurity.net for advice on deploying online banking security.