Home  | About PassGo
Contact

Press Enquiries
Phone +44 (0) 1460 258300
Fax +44 (0) 1460 258403
E-mail
PASSGO MEDIA RELATIONS

Newsletter Subscription
Subscribe to the PassGo Newsletter
Home | About PassGo | Press Center | Electronic Banking and the Case for Strong Two-Factor Authentication

Electronic Banking and the Case for Strong Two-Factor Authentication

by Mr. Julian Curmi B.Sc. ACIB CISA CISSP ISC2 ISACA

Introduction

In today’s corporate environment, the need exists to ensure that only authorised individuals or customers gain access to critical devices or services offered. With the availability of ‘ready to use’ ‘sniffers’ and access code (password/PIN) cracking tools, the standard username/password or PIN combination may no longer be adequate to withstand the test of secure authentication. Other means of discovering password/s or PIN/s are aided by bad habits. Many customers and users in general use easy-to-guess combinations, make infrequent changes, and often write their password or PIN down and leave it in conspicuous places eg stuck to the computer monitor. Some customers not only never change their password or PIN, but also assign the same value to all of their online access codes and even to their ATM cards.

Many organisations are depending on sophisticated and complex networks, remote access afforded to users to fulfil their tasks and the Internet, which has become one of the most important channels to do business through. It is becoming an accepted fact that using a single factor authentication method may not be adequate to serve the growing high-risk ebusiness market place from a security point of view.

Authentication, however cannot exist in a vacuum, it must be part of a security framework. The four security control objectives that address an adequate security framework are: -

  • Identification and Authentication – to prove identity and allow access to assets;
  • Integrity – ensure that data was changed by the authorised person and that no unauthorised changes have been made;
  • Confidentiality – restricting data access to the people authorised to see it;
  • Non-repudiation – one may not deny his/her actions.

The scope of this paper is to give an insight into strong user authentication in relation to electronic B2B (business to business) and B2C (business to customer).

What is Strong User Authentication?

Reliable customer authentication is imperative for financial institutions engaging in any form of electronic banking or commerce. An effective authentication system can help financial institutions reduce fraud and strengthen the security framework that underlies the application. Strong customer authentication practices also are necessary to enforce anti-money laundering measures and help financial institutions detect and reduce identity thefts. Customer interaction with financial institutions is migrating from physical recognition and paper-based documentation to remote electronic access and transaction initiation. The risks of doing business with unauthorised or incorrectly identified individuals in an electronic banking environment could result in financial loss and reputation damage through fraud, disclosure of confidential information, corruption of data and agreements that the organisation may not be able to enforce.

Two-Factor Authentication & Non-repudiation

Accountability (non-repudiation) is a key concern for organisations. It is important – and in many cases critical – to ensure that employees and customers are accountable for the electronic transactions they perform. Token and smart cards for example, help ensure this accountability because each employee or customer is expected to be in physical possession of his/her own token/smart card, and each should be the only person to know the PIN for accessing the services on that device. This is to a great extent a policy issue, but such devices help enforce that policy. Because the device is unique to the employee or customer, any transactions – such as system logon, transactions made on the system – performed with that device are reasonably certain to have been performed by the person to whom that device was issued. Such devices make it very hard if not impossible for employees or customers to successfully repudiate the transactions they have executed.

For a user to be able to access a resource, it must be determined if this individual is who s/he claims to be, if s/he has the necessary credentials, and if s/he has been given the necessary rights/privileges to perform the actions s/he is requesting. Identification and authentication describes a method of ensuring that the user is in fact that he/she claims to be. Once these steps are completed successfully, the user can access and use the system resources. However, it is necessary to track the user’s activities and enforce accountability for his/her actions – detective controls through audit trail.

Choosing the appropriate identification and authentication tools depends on the channels through which an organisation wishes to provide its services, the flexibility that it wishes to provide its users and customers alike, and the perceived risks.

Specifically, there are three user authentication methods:

  • Something you have – this can include a key to a door or a token card;
  • Something you know – passwords or PINs may be classed in this category;
  • Something you are – this area includes biometric authentication such as fingerprints, voice recognition, retina or iris scans.

Individually, any of the three concepts have problems. ‘Something you have’ may be stolen. ‘Something you know’ can be guessed, shared or lost. ‘Something you are’ is the strongest, but generally the most costly, and may not always be appropriate for integration with some user applications.

Since these single-factor authentication problems exist, the next step is two-factor authentication. For example, ATM teller machines use a combination of a plastic card (something you have) and a four-digit PIN number (something you know).

Requiring two factors significantly enhances security because one factor authentication by itself may not be sufficient to perform authentication that can be relied on. Furthermore, two-factor authentication ensures that any transactions carried out by the user cannot be repudiated ie denied and that the user can be held accountable for his/her actions on the system, be it an employee in the organisation or a customer of that organisation.

Authentication methods that depend on more than one factor typically are more difficult to compromise than single factor authentication systems. Accordingly, properly designed and implemented multi-factor authentication methods are more reliable indicators of authentication and stronger fraud deterrents. For example, the use of a logon ID/password is single factor authentication (ie something the user knows); whereas, a transaction using an ATM typically requires two-factor authentication: something the user possesses (ie the card) combined with something the user knows (ie PIN). In general, multi-factor authentication methods should be used on higher risks systems eg remote access to networks or offering a service through the internet eg ebanking. A number of financial institutions have been offering their ebanking services dependent only on a PIN, however many financial institutions are upgrading their systems to include two-factor authentication when offering their services through electronic means.

An effective authentication method should have customer acceptance, ease of use, reliable performance, scalability to accommodate growth, and interoperability with existing systems and strategic plans of the organisation.

No matter what type of two-factor authentication model is used, the organisation should be sensitive to the fact that proper implementation is key to the reliability and security of the system. For example, a poorly implemented two-factor system may be less secure than a properly implemented single-factor system because of weak organisational policy, procedures or standards. This is so, because the human element is the weakest link in any security application or system.

The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures and controls. On this, organisations may adopt ISO 17799 (based on BS7799 part 1) – Information Technology – Code of Practice for information security management. Executive management should give their full support to ensure proper implementation and adherence to policy.

Why is Strong User Authentication Needed?

Single-factor authentication usually consists of ‘something you know. However, generally these could be susceptible to attacks that could compromise the security of the application. Some of the more common attacks (eg key-stroke monitoring or using a program especially designed to ‘sniff’ passwords transmitted over internal and untrusted networks ie Internet) can occur at little or no cost to the perpetrator and without detection. Such programmes are readily available over the Internet. If undetected, the perpetrator could access the information without alerting the legitimate user. This is the reason to use a strong user authentication process to protect the data and systems. The need for strong user authentication has many benefits.

One example of strong user authentication is amply demonstrated by the use of automated teller machines (ATMs) – access to an ATM is protected by a strong user authentication; a bankcard, and a PIN. How many customers would use an ATM if only a reusable password or PIN scheme allowed access to their accounts? The same security approach should be applied to electronic banking services, especially when using the Internet, since the perceived risks are by far greater.

In addition to reducing the risk of unauthorised access, two-factor authentication also provides institutions with a foundation to enforce electronic transactions and agreements. First, effective authentication provides the basis for validation of parties to the transaction and their agreement to its terms. Second, it is a necessary element to establish authenticity of the records evidencing the electronic transaction should there ever be a dispute. Third, it is a necessary element to establish the integrity of the records evidencing the electronic transaction. All of these elements promote the enforceability of electronic agreements.

Financial institutions should assess the adequacy of existing authentication techniques in the light of changing or new perceived risks (eg increasing ability of hackers to compromise less robust single factor techniques). According to the ICSA (International Computer Security Association), 80% of system underming occurs from within the organisation. The Basle Committee on Banking Supervision advises financial institutions to consider the apparent risks of offering Internet banking services based on PIN alone. Single factor authentication alone may not be commercially reasonable or adequate for high-risk applications and transactions.

Systems linked to open and untrusted networks like the Internet are subject to a greater number of individuals who may attempt to compromise the system. Attackers may use automated programs to systematically generate millions of numerical combinations, in the case of systems relying on PIN alone, to learn a customer’s access code (ie brute force attack).

Would consumers perceive this as a secure way of doing their banking over the Internet, which is technically an insecure medium, when at the same time they are obliged to do their banking via an ATM using two-factor authentication?

Consumers rely on, and gain comfort from a strong user authentication method to protect their sensitive data and money. Also, financial institutions can hold users accountable for controlling their cards and PIN. The combination of two authentication factors is what enables users and financial institutions to hold each other accountable.

The Importance of Risk Assessment

There are a variety of authentication tools and methodologies financial institutions can use to authenticate customers. These include the use of passwords and personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards or other types of ‘tokens’, database comparisons, and biometric identifiers. How whichever authentication tool is chosen heavily depends on the type of service and across which channel together with a risk assessment that the financial institution must carry out in order to ensure that the perceived risks are adequately mitigated.

An effective authentication program should be implemented on an enterprise-wide basis and across all services channels eg Internet, telephone and call-centre services, to ensure that controls and authentication tools are adequate. Authentication processes should be designed to maximise interoperability and should be consistent with the financial institution’s overall strategy for electronic banking and eCommerce customer services.

The implementation of appropriate authentication methodology starts with an assessment of the perceived risks to the institution’s electronic banking systems.

The perceived risks should be evaluated in the light of the: -

  • channel through which the organisation shall be offering its service, eg Internet;
  • services offered (eg third party bill payment);
  • monetary-value and frequency of transactions passed through the channel,
  • sensitivity and value of the stored information to both the institution and the customer;
  • ease of using the method eg token card, smart card or PKI (public key infrastructure);
  • respective applicable legislation that financial institutions are obliged to adhere to eg Data Protection, Banking Act, Prevention of Money Laundering, ECommerce

Cultural

The use of token or smart card devices in the organisation will cause some major changes – change doesn’t come easy. Employees and customers will need to get accustomed to having their cards in their possession at all times. People in general tend to be already accustomed to this fact – hardly anyone ever leaves home without first making sure that the mobile phone is on hand, together with an array of plastic money. The token card will become just another of those essentials. Most organisations have deployed electronic cards to allow authorised personnel to access their office buildings. Patrons are no longer given a key to their hotel room but an electronic key card. So really, the culture and acceptance of using token card/smart card based solutions to access electronic banking systems is generally on the upswing.

Token Card Based Two-Factor Authentication

When it comes to providing eBanking services through different channels using a flexible, portable two-factor authentication model, one of the most cost-effective solutions available are token cards.

To minimise risk and maintain customer confidence and at the same time does not need any investment in software/hardware on the customer’s part (eg card-reader device), a financial institution could opt for a token-card based solution. Naturally, in the case of Internet banking, the customer will use software, however this is already in use on the pc ie the standard Internet browser, Netscape or Internet Explorer (the latest versions are preferred).

Each customer is given a credit-card sized device with a numeric keypad that is used to safely ‘unlock’ his/her account information. To access accounts, users must possess both the token card (something you have) and a PIN (something you know) to unlock the token card itself – one factor without the other is useless. Before the server allows logical access to the information, the customer must key in the string of numbers (six generally) that the token card will generate on a one-time-basis. It will have a specific length of valid time, say 40-50 seconds, during which, the customer will have ample time to key it in on either the keyboard or telephone keypad. The token card’s in-built security mechanism is in sync with the back-end server, with which the authorisation code generated by the token card will be verified. Each token has a unique serial number that forms part of the cryptographic key for the use of generating dynamic network access codes that change every time the customer needs to log on to the application. This provides a high level of security because, first of all, with today’s computers, it may be possible to ‘sniff’ the cryptographic key and try to break the algorithm that generates the next password using ‘brute force’ techniques ie using all the possible combinations.

To prevent eavesdroppers listening or manipulating network traffic, the network path is now also protected by the implementation of a secure channel eg SSL (secure socket layer – this occurs on the ‘Session/5th layer of the OSI (open systems interconnectivity model).

In order for the transaction to be authorised and validated, the server generates what is called a ‘challenge’ – a numeric value made up of six characters that is the result of a hashing function using the date, time and value of the transaction itself. The challenge is presented to the user who in-turn keys in this value on the token card that produces the ‘challenge response’, also made up of six characters. This response is valid for that transaction only, and even if it were to become known to third parties eavesdropping on the line, it would be useless for other transactions. Furthermore, if it is manipulated during transmission, the server will reject it, since the server computes its own mathematical calculations to confirm the integrity of the value transmitted.

If the PIN is entered incorrectly for say 3 times (clipping level), the token card will be locked (similar to what happens on an ATM, with the difference that the ATM retains the card). The administrator is the only authorised person who may unlock a blocked card. If the authorisation code is entered incorrectly, say for 3 times, the application is generally set to end the session. All such login attempts are logged (audit trail) and reviewed by the administrator, so that any such unauthorised attempts are immediately identified and dealt with accordingly.

Positive Return on Investment (ROI)

Common sense tells us that the more applications that the token card concept may be applied to, the greater the ROI. Nevertheless, every implementation is different, and organisations should perform a thorough cost benefit analysis before proceeding with the implementation of such a token card based solution. Organisations may adopt token cards for both back-office employees (eg system administrators and call centre operators) and customers alike.

It is believed that token card deployment that forms an integral part of the back-bone of logical access control to sensitive systems, will discourage fraudulent transactions by employees and also reduce the need to employ more personnel to supervise back-office transactions. However it must be remembered that the human element is the weakest link in any security set-up, so adequate segregation of duties is one of those controls that safeguard against abuse. Furthermore, the implementation should be based on a sound information security policy on logical access controls (refer ISO 17799) and procedures that management must ensure that they are being adhered

Conclusion

Robust and resilient two-factor authentication is imperative for financial institutions engaging in any form of electronic banking or commerce. However, the success of a particular authentication tool or methodology depends on more than the technology. It also depends on a thorough risk assessment, appropriate information security policies, related procedures and controls. An effective authentication method should be implemented on an enterprise-wide basis, have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.

Token cards provide an effective and adequate protection against password or PIN code guessing because the token generates a one-time PIN for every logon session or a unique and dynamic authorisation code that is sent to verify and validate the transaction. In addition, these tokens are easy to use and relatively inexpensive for the organisation to finance. Token cards are now being used by a number of financial institutions in the United States and Europe that require strong two-factor authentication to enable their customers to access electronic banking systems.

Strong two-factor user authentication is one of the building blocks of a security methodology. It also forces user accountability, be it internal back office users or customers alike. Finally, it plays an important role in providing the customer with a robust and secure application that he/she will be confident to use without the fear of someone eavesdropping on his/her data/information or worse still, someone masquerading or stealing his or her identity to access the system.

About Julian Curmi

Julian Curmi is an associate member of the Institute of Bankers, is certified by the Information Systems Security Consortium (ISC2), and certified by Information Systems, Audit & Control Association (ISACA). He is responsible for group information security management at Bank of Valletta plc.

References & Acknowledgements

Electronic Banking – Safety & Soundness Examination Procedures - FDIC
Basle Committee on Banking Supervision
MSA/ISO 17799
COBIT, Governance, Control and Audit for Information & Related Technology
http://www.sans.org