Following a string of bank pilots, Visa Europe has commercially launched its CodeSure system, which comprises a card with a display for generating one-time codes to authenticate online transactions.
When do we think we are going to see the Amazon trial?
Visa's CodeSecure initiative is a good one that finally makes multi-factor card security realistic and convenient for customers; removing the need to carry around another device. For online merchants the use of the card to generate a OTP (one-time password)
will remove the main obstacle to VbV, which is the challenge of remembering yet another infrequently-used password which, in turn, risks the retailer losing sales at the final stages of checkout.
For online banking, however, Visa CodeSecure does not eliminate the problem of more sophisticated attacks such as man-in-the-middle or man-in-the-browser where fraudsters can manipulate a legitimate online banking session to redirect funds to their own accounts.
Banks must ensure they take full advantage of the technologies offered in these solutions, such as signing transactions and educating their customers as to what to expect when using the new cards online, since fraudsters can socially manipulate customers into
inputting false data to allow fraudulent transactions to be placed. Banks must also ensure they have a robust fraud detection solution in place to allow customer behaviour profiling and monitoring as well as real time prevention to take full advantage of these
I concur with David Divitt. "Banks must ensure they take full advantage of the technologies offered in these solutions, such as signing transactions". Until now, most "signing" using CAP readers and the like has been mickey mouse. A proper long term solution
will sign the entire data payload between browser and server, and will need to use connected smartcard readers at the customer end. These have been a long time coming, but thanks to the rise in non banking smartcards like US PIV ID cards, we're seeing more
laptops feature integrated card readers (like the Dell e series). The beauty of the connected reader is that it provides a sensationally easy to use, ATM/POS-like customer experience for online shopping and banking alike. I appreciate there is anxiety about
Man-in-the-Browser malware being able to co-opt the card, but these attacks can be mitigated by WYSIWYS tools in the chip.
``This exclusive Visa solution is an extremely convenient way to bring a similar level of security to payments online as we now enjoy on the high street with chip and PIN." -- Sandra Alzetta, Visa
Surely this technology also has the capability to eliminate the need for ``high street chip and PIN [terminals]"?
© Finextra Research 2013