Nick Collin - Collin Consulting Ltd - London 25 January, 2011, 10:31 0 likes

I'm convinced Remote Chip Authentication (RCA) is the best method.  You insert your standard bank card in a simple reader, enter your PIN, and a one-time-password is generated which you can use to identify yourself over the internet or phone.  This is known as CAP by MasterCard and DPA by Visa and is now widely used by banks across Europe.  It's very secure, cost effective, familiar and intuitive, physically separate from your PC or phone, and can be easily extended to challenge-response or digital signature modes if necessary.  The latest developments use Display Cards where the reader is in effect built into the card itself.

A Finextra member 25 January, 2011, 11:10 0 likes

Nick, 

that is interesting product. Last month or so I have been playing with verified mobile authentication system. Service itself is cool and easy to use. But easy to use is one key issues. For mobile authentication service goes like this, you select mobile authentication and write your mobile number to browser (computer) and push accept button. Service sends you back authentication message to you mobile phone where you just write your 4 to 8 number/letter long PIN code. Your information is verified from your SIM card and send to operator who let's you in to service. What makes interesting for this service, operators can bring a lot of other information for merchant, like your home address or credit information from third party. 

With this solution companies can automate customer processes and same time make credit checks without any other query. 

Nick Collin - Collin Consulting Ltd - London 25 January, 2011, 13:31 0 likes

Hi Antti

Your mobile solution sounds quite similar to Remote Chip Authentication (RCA) in principle.  However, I would be nervous about any solution where you need to enter a PIN into an inherently insecure device such as a PC or a mobile phone.  Maybe I'm paranoid, but the statistics on spyware infection of PCs are horrifying and I suspect the same will be true of mobile phones soon, if it's not already.  At least with RCA the PIN verification is carried out entirely offline within a highly secure EMV chip.

A Finextra member 25 January, 2011, 13:44 0 likes

Nic,

same principal- different device. Mobile phone is always with you, card reader isn't. But as mobile phone is always with you, there is a risk for catching not so nice extra softwares. Even data experts say, it is secured and  includes crypt technology for SIM card, some day it will be hacked, like any other system. But it is versatile and allows you to use same system not only to your online banking, but sign your taxes, order products, identify with KYC-standards to new online services or even sign verified documents online.

Stephen Wilson - Lockstep Consulting - Sydney 26 January, 2011, 00:51 0 likes

My vision is that in the medium-to-long term, smartcards will prevail for most online authentication and transaction authorisation from PCs.  Smart phones of course will take on a big proportion of transactions, but here I'm just focussing on the home & office browser case.

The plastic card has been habituated across so many walks of life for decades now.  We seamlessly use and manage a couple of dozen card-based guises: with banks, card companies, our employer, healthcare providers, insurance companies, government agencies, airlines, loyalty programs, and associations.  It's instinctive. The plastic card experience is a true standard. Diverse relationships and "identities" are all managed with a universal human-machine interface: insert an appropriate card, enter a password (usually) and stuff happens.  We should access all Internet services in this deeply familiar way.

Now built-in smartcard readers are returning to the standard notebook computer.  Thanks largely to the US push for PIV smartcards, Dell even has a notebook with both contact and contactless readers!

I do take Nick's point about PIN entry into ordinary PCs.  This can be solved in many ways.  Eventually we will see hardened keyboard security on PCs.  But in the meantime, transaction signing between chip and host PC can be made resistant to MITB attack and screen scraping by dynamically diversifying the internal transaction formats.

I don't see how the CAP method can scale out to other settings like healthcare and government.  Technically, we need to be able to digitally sign rich content, rather than just sums of money displayed on a tiny screen as is the case with CAP (or display cards).

Yes, there are currently interoperability snags with card readers, but these are being fixed.  It's just evolution.  I remember the days when CD-ROM burners were thousand dollar machines kept in the IT department and you had to make a booking to get your data archived to read-only disc.  Ten years on, read/write CD-ROM burners came to feature in the cheapest home computer.  The same trend is well underway with smartcards.  It's inevitable with a billion EMV cards in circulation, at least 200M health smartcards, and billions more ID smart cards to come in Asia. 

A Finextra member 26 January, 2011, 09:35 0 likes

Nearly 20 years I have logged in to my online bank with userID given my bank and using first printed list of one time challenged passwords. Every time I run out of list, bank send me new one. For banks point of view, this identification method serves same purpose as modern key card readers, but are a lot cheaper than modern card reader systems. There is no installation for office PC systems or acquiring card readers.

Also for end users these password lists allows them to use online banking not only home, but from offices and public places. A list is always on your wallet. 

Last month I have been playing with mobile id system provided by mobile operators. This system is neat and takes one step forward than those old online bank password card systems. 

Stephen Wilson - Lockstep Consulting - Sydney 26 January, 2011, 10:00 0 likes

I didn't think paper based OTPs were still in use, after Nordea bank was attacked back in 2005: https://www.finextra.com/news/fullstory.aspx?newsitemid=14384.

Since that time, there have been successful attacks on electronic event based OTPs (Citi Bank, 2006) and time based OTPs too (ABN Amro 2007).  This is why the only sensible CAP mode is transaction signing, and why all security experts agree that asymmetric cryptography -- in one form or another -- is essential going forward.

Nick Collin - Collin Consulting Ltd - London 26 January, 2011, 10:10 0 likes

As usual I agree with everything you say Stephen!  As a form factor, the plastic card is hard to beat and has many years left to run.

Incidentally, CAP is used by the UK MOD for secure remote login, although I take your point about the need for other solutions to digitally sign rich content.

A Finextra member 26 January, 2011, 10:15 0 likes

What I could remember after those attacks, Nordea made some changes and now in time to time when validating online payment customer needs to verify not only one layer of challenged password but two. Second layer is SMS reply message from bank/ or call from bank. 

But that is why country has been so crazy about mobile phones. 

Keith Appleyard - available for hire - Bromley 27 January, 2011, 17:44 0 likes

I confess I'm not enamoured of the mobile phone being the silver bullet.

Unless I've got my BlackBerry clipped to my belt, I don't always have it on my person, and I have gone out for the day without it.

With the card-reader from my Bank (RBS), once when I had misplaced it I had to order a new one, and it took 2 weeks to arrive. In fact I even ordered a second replacement because I thought the 1st one had been lost in transit, and they arrived on the same day - so now I've got 3!

If I lost my designated Chip Card, then I'd be dead in the water again until that was replaced. But I need 24/7 access to Online Banking Services - or at least I can't imagine surviving longer than a 3-day outage - not if it I lost my Card at the end of month when I have to pay my Payroll! - I need the Card for 2 separate transactions for every new Starter or existing Employee who changes their Bank Account.

Yet the mobile phone isn't the answer at POS either; there are places in my local shopping mall, the recesses of stores just where the tills are, where my phones can't get a signal. If the POS experience entailed getting a one-time-code via the phone and putting it into the PINpad, then the stores need to reconfigure their layouts to ensure they have coverage.

Even if you've taken your phone with you, what happens if it doesn't work? Not just if you've not got coverage, nor running out of battery, but what if its been stored outside the normal operating temperatures? iPhone recommend 0-35C, and its been noted that they don't work at -14C (typical temperature in Norway) or +45C (typical temperature in Arizona) - you might have stored at either if you left it in the car whilst you went to the gym? Apparently the iPhone doesn't work over 3,000m / 10,000ft either?

Finally, if you're travelling and overspend your pre-approved limit, then as I found out with Virgin, without any warning, they suspended my BlackBerry mid-way through a holiday in Turkey. If I'd been unable to get the service re-instated (kept hanging on someone else's phone for 30 minutes), then in the brave new world I wouldn't have been able to check out of my hotel, and/or check in at the Airport.

We need solutions, but I don't think any of the one's proposed thus far are foolproof.

Gareth Jones - Ubiquiem - London 29 January, 2011, 20:40 0 likes

One slight downside of the proliferation of RCA CAP type readers (you can get them here on ebay for 2 quid/3 euros) is they have made atm crime a little more easy!  Here's how - 

In the good old days, if you wanted to exploit a stolen atm card, you either had to mug someone and beat the PIN out of them, and trust they were sufficiently scared to give you the correct number - or more usually you had to shuffle up to the atm with your victim and get him to enter his PIN and card at gun, fist or knife-point - not so subtle - especially with camera-enabled atms.

Now, while the readers do not work cross-bank to hand out transaction keys, they do work to validate a PIN to a card - irrespective of bank.

So all the purp has to do is force the victim to enter his PIN into a reader - any reader will do, he/she only needs one - and it will instantly show whether the PIN is correct. This can all be done from the comfort of his/her darkened alley.

Simples!

Keith Appleyard - available for hire - Bromley 30 January, 2011, 20:28 0 likes

And once you've got the PIN verified, you don't need the Cardholder - unfortunately that means you can also dispose of them if you are so inclined.