Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security

Group

Transaction Fraud Systems and Analysis
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Online Banking, Hacker's Mind and Mutual Authentication

Lately I have read a lot of interesting blogs and comments about identity theft. This is obviously a hot topic, Hackers have never been so active and banks have had a hard time keeping up.

Prologue: Authentication Basics

What is the basic principle of authentication? What are we trying to achieve?
Let's take the example of a user who wants to check his bank account online.  The goal here is to make sure that the user is really the user, and that the bank is really the bank.

Explained like this, it sounds quite simple.

Chapter I: One Way Authentication

Hackers, these computer wizards, have quickly found ways to get your credentials in order to impersonate you.

The answer of the industry was relatively quick and it continues to evolve in the same direction.

For a long time it's been a race between Financial Industry, Security Companies & Hackers.

At the begining of the race, we have created Logins/Passwords. Quite rapidly, Hackers have found ways to get those static passwords. Then, security companies created many tools to strengthen authentication and they have done a good job! All these technologies are brilliant: USB Tokens, Smart Cards, Biometrics, Bingo cards...

But Hackers have stopped trying to attack the front door...

Chapter II: Hackers Evolution

It is very important to understand how a hacker thinks in order to be able to 'stop' him. A hacker will always try to get the low hanging fruits.

One way authentication has been focusing on strengthening the security at your door, when hackers have found a way to go inside via the windows.

A General principle in security is:

          "A system is as secure as its weakest entry point."

Instead of trying to fight the security tools created to strengthen the authentication of the users, Hackers have changed their strategy and started attacking the overall Authentication Scheme/Process.

They have created the new generation of hacking attacks: MITM, MITB...

They let the user strongly authenticate himself to them (pretending they are the bank), while they re-use those precious "strong credentials" with the real bank’s website (in turn pretending they are the legitimate user).

Chapter III: What is the Solution?

It is now time to secure all access points. We can't go further and ask the users to enter their credentials, remember a picture, enter a One Time Password, put their thumb on a reader and ask their grand-mother to speak in the mic to authenticate themselves or to make transactions.
Even after all these painful procedures, they are still not guaranteed that a hacker cannot get access to their financial accounts !!!

How can you be sure that someone is really who he pretends to be? Let's take a simple example.

Asking a user to do a One Way Authentication is like asking him to enter a room full of people to meet someone, unknown to him. We ask him to go to the "most probable person", to show his ID and some additional information and to hope that the person in front is really the right one.

Did you ever go to a business meeting where people you are meeting do not introduce themselves??? That would certainly be a strange situation.

The real answer to the problem is

          STRONG MUTUAL AUTHENTICATION

Everyone has to be authenticated! The users, the banks, the online merchants... Anyone who wants to engage in a mutual connection or transaction.

By ensuring such strongly authenticated connections on all sides and applying the same principles during transactions validations, Banks would actually be able to PREVENT fraud instead of simply "DETECTing and trying to deal with the problems after"...

Chapter IV: Who benefits from strong mutual authentication?

EVERYONE.

The users obviously benefit from it.
They will no longer be scared (https://www.finextra.com/fullstory.asp?id=19933)
They will eventually regain confidence in the financial industry, leave more money in their bank accounts, make more transactions.

The good news about this kind of authentication scheme (STRONG MUTUAL AUTHENTICATION) is that it's fully compatible with all the work done so far by all the security companies that are doing One Way Authentication. It actually bolster any of these 1-way authentication methods.

Banks would also benefit from it. No more fraud, minimize charge back processing, increase potential business by accepting more legitimate transactions...

Everybody would benefit except the fraudsters...

11848

Channels

Security

Group

Transaction Fraud Systems and Analysis
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (1)

A Finextra member
A Finextra member 25 April, 2009, 02:28Be the first to give this comment the thumbs up 0 likes

You are definitely preaching to the converted here.

At this point we would be tempted to say any authentication is better than none, however it is apparent that pretty well everything (except my thing) fails.

Whilst STRONG is a word, an adjective I believe, it is something else in the execution.

There are difficulties with dreams of strength.

I would really like to illuminate everyone but there seems to be a buck to be made here.

Imagine if you had the perfect solution. What would it be?

What if it worked for pretty well everything we do and more importantly empowered a lot of things we would like to be able to do? Really cool and real time and worry saving things?

What if it just made internet banking completely irrelevant?

Imagine, - no need to log on to your bank site - ever?

No virus software required, no hassle, no bills in the mail for ID thieves, no internet bank account period. No internet logons.

GREEN - paperless, with all that information available at your fingertips? 

Plastic-less. NO CARD. No wallet.

Convenience like we have only dreamed of - in a totally natural way. Forget about learning new software, forget about all that bullshit security.

Just jump to the 21st century, or even the 25th century - it will be done the same way in 10,000 years, there's no going back and there's nowhere further to take other than mind-reading.

Would you waste it on the first bank that came along trying to lead that old horse to water and then force it to drink?

Or would you think big?

Report abuse
Join the discussion
Cedric Pariente

Cedric Pariente

Stanford Certified Project Manager

EFFI Consultants

Member since

20 Dec 2008

Location

Paris

Blog posts

23

Comments

45

More from Cedric

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.

See all
Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more