Blog article
See all stories »

An article relating to this blog post on Finextra:

Gemalto releases mini online banking authentication device

European smart card vendor Gemalto has launched an ultra-thin credit card-sized authentication device for online banking customers.


See article

Does a smartcard reader add value in generating an OTP?

This GEMALTO mini online banking authentication device and IBM's USB dongle stick (whatever its called) are not any better than a simple time-based OTP generator.

And no, I don't work for RSA or Verisign or any of these companies that offer these time-based OTP generators.

I have been searching for the best multi-factor authentication method/device for quite sometime now. In my opinion, a simple time-based OTP generator such as RSA's securid is the most efficient in the market. They come in different shapes, a key shape, in credit card form, etc.

Adding a smartcard reader and requiring the user to insert a smartcard and enter a pincode just so to generate an OTP (which is probably an event-based OTP) is too many steps that actually provides less than what a simple time-based OTP generator can provide. So, as far as I am concerned - its MUCH ADO ABOUT NOTHING.

Perhaps one can argue that a user is compromised if his simple time-based OTP generator is lost or stolen. But then again, the same applies if the user loses his smartcard/s.

What I did find in the course of my search for the best authentication system is a set of systems created by a french engineer (who by the way has a patent pending, filed worldwide I checked) that require 'MUTUAL' authentication of both business and consumer (B and C) preferably using strong multi-factor authentication methods.

- His preferred embodiment is that the 'mutual' authentication of the two parties (B and C) is done by a Trusted Third Party and the multi-factor authentication method is through the usage of time-based OTPs.

- His is the only system that I know of that has developed an OTP generator that businesses can use to authenticate themselves to their consumers. I thought that this was very wise indeed since phishing is possible only because the business - "B" in a B2C somehow never positively authenticates itself to consumers "C".

- Another great benefit of his system is that since its the Trusted Third Party that authenticates both parties (therefore the management of OTPs for businesses and consumers resides with that Trusted Third Party), that a single OTP device given to a consumer can be used with many other different "Bs" businesses.

- Ergo, this new system can spread the cost of any expensive multi-factor authentication device/system. Imagine small online merchants being able to benefit from this system or how this can strongly secure P2P transactions !

- The Trusted Third Party in this new system also compares many other elements which totally thwarts man-in-the-middle attacks and phishing.

But as a consumer, what i truly like about this is that with 1 time-based OTP generator, I can authenticate myself with one to many parties who I know have also been authenticated by the Trusted Third Party. For other parties such as small businesses, big businesses or even a peer, this system makes multi-factor authentication devices quite afforable.

8845

Comments: (11)

Nick Green
Nick Green - ISD Consultants - Northampton 30 October, 2008, 16:31Be the first to give this comment the thumbs up 0 likes

Marite, I think one of the things you have missed is that by using either the Gemalto device or the IBM USB device and an IC payment card you can access more than one online service i.e. several credit card issuers and or several on-line banking services. With an RSA securid you can only access one.

A Finextra member
A Finextra member 30 October, 2008, 16:50Be the first to give this comment the thumbs up 0 likes

Nick, I didn't miss it at all. That's precisely why I described the new B.3.2.Trust system of 'mutual' authentication by a Trusted Third Party (by B.3.2.Trust).

With this system, a single OTP device can be used (by the holder) with any online service or even for peer-to-peer transactions (not just with online banks or card issuers).

The codes generated by this gemalto device are event-based OTPs. Time-based OTPs are more secure.

Lastly, I generally am wary of the proliferation of standalone card readers. They are toys for fraudsters.

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 31 October, 2008, 08:55Be the first to give this comment the thumbs up 0 likes

The IBM idea is not related to OTP, except that it replaces it. In the IBM scenario the device displays important elements of the transaction, such as the amount or the beneficiary, which are authenticated cryptographically between the device and the bank without the user's PC being involved. This means that malware and other attacks (MITM - man in the middle - in the IBM description) cannot change these elements.

A Finextra member
A Finextra member 31 October, 2008, 13:23Be the first to give this comment the thumbs up 0 likes

OTP - one time password that you have to transcribe?

Not exactly a front runner in the user friendly stakes is it?

I guess no-one thinks about that anymore, they're so desperate for even a semblance of security.

Mutual authentication is one thing I would have thought would be an essential requirement for any sensible system.

How would you describe a 'solution' that didn't mutually authenticate? I'd suggest 'useless' would be appropriate.

Happy days.

Nick Collin
Nick Collin - Collin Consulting Ltd - London 03 November, 2008, 11:55Be the first to give this comment the thumbs up 0 likes

A crucial advantage of using a standard EMV smartcard to generate the OTP is that the bank has already invested in the difficult and expensive process of making sure the right device with an embedded secret (ie the smartcard in this case) has got to the right person.  With non-smartcard devices such as RSA's SecureID you have to incur these costs twice.  This more than offsets the costs of the smartcard readers, which have no secret in them.  There are several other advantages such as multi-channel applicability (mentioned above by Nick Green), no dependence on proprietary standards and technology, no need to remember more than one PIN, and a natural evolution to secure e-commerce through integration with 3D Secure standards.  I could go on, but the growing list of major banks which have adopted CAP and VbV speaks for itself.

One other thing - the original article says the gemalto solution doesn't protect against man-in-the-middle attacks.  This is simply not true.  You get such protection simply by entering additional information such as the beneficiary's account number or amount (mentioned aove by Jonathan Rosenne).  Most banks using remote chip authentication already routinely use this for transfers above a certain value.

A Finextra member
A Finextra member 04 November, 2008, 20:31Be the first to give this comment the thumbs up 0 likes

Nick Collin said : "I could go on, but the growing list of major banks which have adopted CAP and VbV speaks for itself."

Laughing out...  Adopted? They are being mandated! And they in turn force their cardholders to register. Like I said, the card schemes earn regardless of who issues their label. On the other hand, the issuing bank takes the risk of alienating customers with an ineffective solution (just read the forums filled with cardholder complaints...).

OTPs have been by far more successful than the card reader/card authentication method for log-in access authentication despite their cost. 

Identification data in a card is static much like a fingerprint. Static Identification is useful to fraudsters. This is why a time-based OTP logically provides more security since a captured time-based OTP is useless to a fraudster. And of course, with OTPs, end-users need not remember the pin.

So, this is also why I think there isn't much utility in adding a smartcard reader/smartcard to generate an OTP.

The issue of cost related to time-based OTPs can now be resolved by a trusted third party (a new system by a french company) that authenticates both the B (businesses) and C (consumers). Therefore, one OTP device can be used by an end-user with one to many parties. This new system enables any strong multi-factor authentication method to have a universal application. This multi-channel / universal applicability will then  lower the cost of time-based OTPs quite considerably.

Whether its time-based OTPs, card reader/card authentication or biometrics, what's clearly lacking is mutual authentication. Authentication of web servers should also be done and this new system does this.

Nick also said : "..., and a natural evolution to secure e-commerce through integration with 3D Secure standards."    All I can say is that a system exists that can make card-not-present transactions more secure than card-present transactions and this isn't by using a card reader/card. Unfortunately, I'm not at liberty to say more at this time ...

ANY system that does not do mutual authentication does not protect against man-in-the-middle attacks.  Does the Gemalto or the IBM ZTIC do mutual authentication? When I'm typing a time-based OTP, do I know that I am giving it to a legitimate website? While I am using the card reader/card and I enter a beneficiary's account number and/or amount, do I, as an end-user know for sure that I am not sending this confidential data to a man-in-the-middle? While I am using an IBM ZTIC usb, do I, as an end-user know for sure that what I am seeing on the display of that usb key is coming from a legitimate website?

Nick Collin
Nick Collin - Collin Consulting Ltd - London 06 November, 2008, 17:27Be the first to give this comment the thumbs up 0 likes

Merite:  with CAP, the card reader is not physically connected to the PC.  The card identification data, beneficiary account number, etc is cryptographically combined by the card to generate the OTP which is then manually entered into the PC.  There is no way this data can be intercepted.

I'm not aware of any bank which has been mandated to use CAP.  Can you give examples?

Mutual authentication would be nice to have but in practice it turns out to be impractical.  The industry developed a PKI solution called SET (Secure Electronic Transactions) some years ago but despite massive efforts it was never adopted - it was just too expensive and difficult to roll out on a commercial basis in a mass market.  Hence the adoption of the 3D Secure model which breaks up the solution into manageable chunks.

A Finextra member
A Finextra member 07 November, 2008, 09:47Be the first to give this comment the thumbs up 0 likes

"I'm not aware of any bank which has been mandated to use CAP.  Can you give examples?"

Answer : VBV (since your first post stated : "but the growing list of major banks which have adopted CAP and VbV speaks for itself.")

You also said : "There is no way this data can be intercepted."

Yet you sort of negated yourself with the sentence before. "by the card to generate the OTP which is then manually entered into the PC." Entered into the PC is the POC (point of compromise) and is phishable at this point. 

Perhaps, we should go back to my subject line : "Does a smartcard reader add value in generating an OTP?" The multi-channel is a good angle, but there's still no real added value in adding a card reader to an OTP generator since OTPs by themselves can also be multi-channel.

"Mutual authentication would be nice to have but in practice it turns out to be impractical." and you also spoke about PKI and SET.

Sorry Nick, SET is as old as my grandmother and a lot of things are quite possible now, technologically speaking, which would make mutual authentication quite practical and easy to implement. SET also didn't provide mutual authentication.

Cheers.

A Finextra member
A Finextra member 09 November, 2008, 02:34Be the first to give this comment the thumbs up 0 likes

Hello.

We, the consumers, can already buy EMV card readers on the web. We might be able to get them in retail shops sometime. Although they could be as smart (if not smarter) as cards, most of them are designed to be as card-neutral as possible. The result is that, should I loose or break mine, I could borrow your card reader to authenticate myself with my banking card. Something I couldn't do with a so-called OTP token, provided that your bank had provided you-- oeuf corse -- with such a token, or keyfob, or usb 'smart security device', etc. The secrets are in the cards and the tokens, not in the readers. 

Readers that operate in a connected mode are being developed to facilitate next generation eSEPA payment services operations, including Credit Transfers and Direct Debits, and not only Card Payments.  Something that handheld tokens don't and won't do because they were not designed for this.  Except that...

Last week, at Cartes, Kobil and Vasco demoed card readers with an opto-electronic interface that enables cardholders to download data onto their reader + card via an optical flashing pattern displayed on the screen of their PC. Funny: Back in 1994, at the CSI trade show, I remember demonstrating a similar system from ActivIdentity (then ActivCard). Do we have here an alternative to connected readers. Maybe.  

Gemalto, Kobil, Todos, Vasco, XIRING... not to mention others who didn't exhibit, such as IBM, had new versions of EMV card readers that perform a wide diversity of services.  Worth to be mentioned, XIRING introduced its award-winner 'XiSign Wallet', a standard EMV card reader that leverages several EMV-enabled operations including CAP/DPA authentication, Prepaid value checking and cardholder control of contactless payments.  

I believe that above mentioned industry examples and references are rich enough to demonstrate how and why, yes, a smart card reader does add value in generating an OTP...  I have no strong opinion on the bits and bytes that are supposed to make OTP vs C/R vs MACing vs whatever-you-want a stronger or weaker solution:  I think that as long as one ignores the business requirements for which a solution is chosen, one cannot launch a fatwa against x, y or z methods or systems...  

The market for EMV and CAP / OTP authentication applications is changing fast. Eurosmart* restated last week that they were around 600 million smart banking cards in Europe, a large majority of which being already EMV compliant.  XIRING said that there are today around 15 million EMV card readers, whereas there were 10 millions last year.  Will Gartner confirm its 2008-2012 CAGR forecast and plan on 1,3bn EMV cards by 2013? 

The number and nature of countries which prepare themselves to adopt EMV as their next generation banking card standard, including Russia, India and China, give us a feeling that EMV 'cards' (whatever is their form factors) are still in the infancy stage of their market development cycle. 

What will it take -- at both client and server levels -- to manage large scale, multichannel user populations? Populations who want to work, live, play... and pay online with the same levels of confidence they have offline?  

* Download World Card Summit's Eurosmart Jacques Seneca PPT at www.eurosmart.com

A Finextra member
A Finextra member 09 November, 2008, 09:00Be the first to give this comment the thumbs up 0 likes

Thank you for your cartes-exposium-inspired feedback. Before I add another comment, I should expose the fact that I have nothing to gain from choosing OTPs versus card and card/reader. I speak as an informed consumer.

OTPs are just as versatile to handle any type of transaction such as credit transfers and direct debits. In fact, a number of banks are using OTPs not only for log-in access but also for transaction authentication of credit transfers, direct debits, standing orders, etc. So, I don't know what makes you say "Something that handheld tokens don't and won't do because they were not designed for this." 

AMEX gave away card readers to their cardholders years ago and obviously scrapped that idea. France Telecom also did the same 'pilot' years ago with bad results. As a consumer, it would never cross my mind to pay for a card reader. Perhaps, fraudsters have other things in mind with these card readers.

Also as a consumer, I will always feel that OTP devices or OTP generators are more secure than a card reader/card combo. Time-based OTPs are also preferrable than event-based OTPs. I also include OTP generators since one can get an OTP not only through a physical device but can also receive it via mobile.

If I ever lose my OTP 'key', I can receive OTPs in my mobile while I wait for a replacement. If I lose my OTP device, I would not worry too much since whoever has it must also know my accounts and userid/passwords. I truly don't see myself going around or travelling with a card reader.

I must always have my house keys or my mobile. An OTP device that I can keep with my keys or OTPs sent to my mobile is ideal. 

Overall, I do think that this competition from card readers is good for the market. This will motivate OTP providers to unleash the potential of OTPs. 

A Finextra member
A Finextra member 14 January, 2009, 16:56Be the first to give this comment the thumbs up 0 likes

The Co-Operative Bank is now making card readers mandatory. From April, customers will be required to use the device to generate a one-time password to be entered to authorise web-based transactions.

http://www.finextra.co.uk/fullstory.asp?id=19453

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,636

Comments

6,044

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all