Chris Skinner looks at the issues of identity and proposes that two-level authentication is not enough.
I recently hosted an event where the chief executive of one of our finest banking groups described the City of London as the ‘Wimbledon of financial services’. He went on to say that "we provide the playing field and the world comes to play". My immediate reaction was that the City is more like the Las Vegas of financial services, where we provide the infrastructure and the world comes to gamble. And it was during a May visit to Las Vegas that I can testify that the art of gambling has never been finer.
The reason for being in Las Vegas was to attend one of America’s premier payments events, where the elite of payments come together to review the latest trends in payments processing....sorry, scrub that. The elite of America’s payments came together to review the latest trends in cheque processing. It amazes me how cheque-focused the USA can be, or is that check focused? But then over a third of all American payments are still made by cheque, a figure only matched in Europe by France. Meantime, the rest of the world finds cheques are about as common as friendly traffic wardens.
During this conference, there was a real highlight during a presentation from the Federal Reserve Bank of Chicago and Bank of America. This was a presentation entitled “Information Security in a Web-based Payments World”, and reviewed the latest state of online systems security. Bearing in mind that Bank of America was one of the first online banks to introduce two-level authentication of any substance, and that they run the world’s largest online bank with over 13 million online users, this had all the makings of an interesting session....and it was.
For example, Bill Barouski of the Federal Reserve discussed the state of payments security and described online payments as being a bit like plane crashes. If one plane in ten million flights crashes, you do not fear flying too much. If the plane crashes every other flight, then most folks jump in the car or catch the train. That is a critical point. The fear of payment crashes online is huge and has already seen large numbers of consumers frightened away from online payments. For example, according to a press release from Visa this year, 24% of consumers are shopping less online because of these fears. In another recent article in Information Week, over 50 million people are believed to have had data about themselves exposed to criminal factions during 2005, at a cost of $47 billion. That cost is the pure costs of data lost to organised crime. $47 billion. No wonder we are a bit fearful.
Doug Smith of Bank of America then stood up and put the HBGB (Hee-Bee-Gee-Bee) stakes even higher when he went through the facts and figures for Bank of America.
Apparently, every hour of every business day, Bank of America is exposed to:
- 150,000 paper pages of data being disposed of incorrectly;
- 16,000 ‘sniffer’ intrusions on their Website;
- 175 denial of service attacks; and
- 3 brand new phishing Websites launched targeted at Bank of America.
Every hour of every day.
No wonder there is so much concern about online fraud.
All that being said, there are some things banks are doing about it. As mentioned, first and foremost is the introduction of two-level authentication.
The most common forms of two-level authentication in payments is based upon something you have – a card or computer – and something you know – a PIN or password.
Some banks have taken this further. For example, Bank of America’s SiteKey is partially based upon a users’ IP address being used as a unique identifier to allow access to their online bank services. ABN Amro, e*Trade and Lloyds TSB are using unique identifiers with randomly generated numbers on keyfobs. The idea is that to gain access online you enter your username, password and then receive a unique access code that is available for only ten seconds to gain access online. In other words, you must have the keyfob and a smart card and PIN to access the site.
All of these layers of security serve to improve the reassurance of managing online financial servicing. But is it enough? Maybe not.
That is why country regulators are making it law to implement two-level authentication, with the USA leading the way. That is why one of the big buzzes of this year has been around the FFIEC (Federal Financial Institutions Examinations Council) introduction of mandatory rules for two-level authentication to be in place by the end of the year. The regulation actually does not mean that all American banks must have systems in place, just processes and procedures.
Australia has similar rules in place covered by law, although their implementation sparked a huge debate because three of the four big banks wanted to implement biometrics as the second authentication.
This brings us around to the question of what is the right authentication technique. For many, it is between using something you have (a card) and something you know (a PIN) versus something you have and something you are, as in biometrics.
The trouble with biometrics is that everyone always talks about fingerprints. This immediately leads to concerns around fingers being cut-off, customers being held at knife point or worse. Although what could be worse than having your finger cut-off is pretty horrendous. For those who would like to know more, just watch the films Minority Report and Saw but, just to be clear, this is not suitable for those of a nervous disposition.
Biometrics does not have to be so dangerous, as the technology also covers voiceprints and signatures for example. A biometric voiceprint can be stored as a digitised identification during account opening and is highly accurate, even when the customer has a cold. Biometric signatures are also non-intrusive, and register the weight of the pen during the signature entry. With digital pen and paper taking off, it is highly likely that biometric signatures will become a more common identification factor.
This way you can have something you have (a card), something you know (a PIN) and something you are (biometric signatures or similar), as a very secure method of identification. Even then, a bank can add other forms of identification verification. For example, behaviour (what you have been doing) and location (where you are).
Many banks already do this. My bank placed a security watch on my credit card because I used my card for a single transaction in Las Vegas – a cash withdrawal (after heavy losses on the tables of course) – before turning up again in London. This was obviously one suspicious transaction, and caused my account to be placed upon a security watch because it did not fit the pattern of what I normally do.
The ‘where you are’ is related to this, and card companies easily track where you are when making payments at a merchants terminal in a physical location. All well and good, but this is harder on the Internet because the worldwide Web is exactly that: worldwide. As the saying goes: "The beauty of the Internet is that no-one knows you are a dog." In fact, the problem is compounded because no-one knows where the dog was. I could be accessing the Internet over my wireless PC in Vegas as easily as London. My IP address stays the same and so authentication is harder.
This is changing though.
There are some clever technologies that graphically show where the Internet user resides at that moment in time. For example, I saw a technology recently which integrates online bank security with Google Earth. As a result, any bank security officer can bring up a world map at any time of the day, and point to a user to see where they are, who they are and what they are doing.
If they are called ‘Joe Brown’, performing online bill payments, have passed all the normal identification checks, do not appear to be doing any unusual activities based upon past behaviours and are in New York, then that passes under the radar. If all other factors are acceptable, except that they happen to be in a town where Joe Brown would not normally be using online banking, then the alarm appears and additional security can be used to check it really is Joe.
The result is five-factor authentication for online and offline banking services. The five factors being:
- something you have, such as a card, a key or a radio frequency chip;
- something you know, such as a PIN, a password or an answer to a unique question;
- something you are, such as your unique way of signing or your voiceprint;
- your behaviours, based upon your usual transactions and whether this transaction fits that profile; and
- your location, and whether this is a place you would normally transact.
Banks’ security systems will continually improve in these five areas until the integration of these five factors catches more and more crime.
In conclusion, the truth is that no-one does know whether you are a dog on the Internet. But the more criminals use ‘sniffers’ to try and commit fraudulent activities, the more banks will send out their own rottweilers to bite the nose of those sniffing. Banks will never eradicate crime or criminals, but minimising the $47 billion of losses to organised crime has to be an aspiration worth targeting.Chris Skinner is a director of TowerGroup and founder of Balatro.
Web links: www.towergroup.com
Author's email: Chris Skinner