Blog article
See all stories »

Secure transactions - It takes two

It’s hard to ignore – card fraud in the UK is a significant burden, still running at over £440 million according to the latest figures from the UK Payments Association. Not surprisingly the nature of this threat has evolved dramatically in recent years. It has moved away from face to face fraud, largely eliminated through the introduction of EMV and Chip & PIN, and into online channels, in the form of Card Not Present attacks against both e-commerce sites and online banking.

The UK Cards Association paints a rather bleak picture with losses from online banking fraud increasing to £59.7 million in 2009, an 18 per cent rise on 2008 and more than doubling since 2007 when there were £22.6 million of losses. With the economic slowdown of the last 18 months coupled with more uncertainty on the horizon, the safety of our money and security of our identity is extremely precious and the public need a solution they can trust and that tackles the security of transactions across multiple channels.

Why introduce a second channel?

When online, the channel you are using (the electronic line of communication over the computer) is subject to malware scams and phishing attacks, an increasing threat due to criminals employing more sophisticated methods to target this growing market. With this in mind it is evident that the genuine user must personally authorise, and adequately authenticate themselves to prevent these threats from materialising. 

The solution arguably resides in having a multi-faceted security model where there is a secondary channel to re-authenticate the user, thus preventing the impersonation by an imposter hi-jacking an electronic line of communication. The most obvious second channel device for me is the mobile phone.

Why use a mobile device as the second channel?

The mobile phone is not only ubiquitous, but perhaps more importantly almost always on our person and has come to be a device that many cannot live without. The mobile also already contains strong security systems including the addition of anti-malware and the screening of traffic by the mobile service providers to ensure reliability of channel.

It is more than likely that fraudulent attacks will only grow as we increasingly go online for our e-commerce and banking needs. With the ongoing uncertainty of the economy set to continue, in 2010 we will arguably demand a more secure method of authenticating and authorising our transactions. The two channel method offers a solution to this end and the mobile phone is the most natural and obvious device as the second channel.

3821

Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 16 March, 2010, 12:47Be the first to give this comment the thumbs up 0 likes

Using a second, redundant channel to harden authentication does have a superficial attraction.  Security geeks like redundancy, so that's good.  And yes the mobile phone is almost ubiquitous (although in itself that doesn't make it inherently convenient if you needed to use your phone to confirm first-channel transactions like ATM withdrawls and POS payments all the time).

But a more important security principle is K.I.S.S!  I say let's make the first channel properly secure before we start to augment it with additional cumbersome, time-charged, and performance-limited channels like mobile telephony. 

Yes the primary (Internet) channel needs help.  I say let's add digital signatures from trusted chip devices like EMV cards, rather than add a whole extra channel.  If we simply signed our remote transactions using a chip at the browser then we could eliminate replay attack of stolen account numbers today.

 

Nick Ogden

Nick Ogden

Founder and Investor Director

ClearBank

Member since

17 Sep 2008

Location

London

Blog posts

46

Comments

35

More from Nick

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.


See all