|
When it comes to providing e-banking services through different channels using a flexible, portable two-factor authentication model, one of the most cost-effective solutions available are token cards.
A financial institution could opt for a token card-based solution to minimise risk and maintain customer confidence, without the need to invest in software or hardware on the customer's part.
Each customer is given a credit card-sized device with a numeric keypad that is used to safely "unlock" an account information. To access accounts, users must possess both the token card and a PIN to unlock the token card itself - one factor without the other is useless.
Before the server allows logical access to the information, the customer must key in the string of numbers (six generally) that the token card will generate on a one-time-basis. It will have a specific length of valid time, say 40-50 seconds, during which the customer will have ample time to key it in on either the keyboard or telephone keypad.
The token card's inbuilt security mechanism is in sync with the back-end server, with which the authorisation code generated by the token card will be verified. Each token has a unique serial number that forms part of the cryptographic key for the use of generating dynamic network access codes that change every time the customer needs to log on to the application.
This provides a high level of security because, first of all, with today's computers, it may be possible to "sniff" the cryptographic key and try to break the algorithm that generates the next password using "brute force" techniques, that is using all the possible combinations.
To prevent eavesdroppers listening or manipulating network traffic, the network path is now also protected by the implementation of a secure channel, for example SSL.
In order for the transaction to be authorised and validated, the server generates what is called a "challenge" - a numeric value made up of six characters that is the result of a hashing function using the date, time and value of the transaction itself.
The challenge is presented to the user who in turn keys in this value on the token card that produces the "challenge response", also made up of six characters. This response is valid for that transaction only, and even if it were to become known to third parties eavesdropping on the line, it would be useless for other transactions. Furthermore, if it is manipulated during transmission, the server will reject it, since the server computes its own mathematical calculations to confirm the integrity of the value transmitted.
If the PIN is entered incorrectly for, say, three times (clipping level), the token card will be locked (similar to what happens on an ATM, with the difference that the ATM retains the card). The administrator is the only authorised person who may unlock a blocked card. If the authorisation code is entered incorrectly, the application is generally set to end the session. All such login attempts are logged (audit trail) and reviewed by the administrator, so that any such unauthorised attempts are immediately identified and dealt with accordingly.
Positive Return on Investment (ROI)
Common sense tells us that the more applications the token card concept may be applied to, the greater the ROI. Nevertheless, every implementation is different, and organisations should perform a thorough cost benefit analysis before proceeding with the implementation of such a token card-based solution.
Organisations may adopt token cards for both back-office employees and customers alike.
It is believed that token card deployment that forms an integral part of the backbone of logical access control to sensitive systems, will discourage fraudulent transactions by employees and also reduce the need to employ more personnel to supervise back-office transactions.
However, it must be remembered that the human element is the weakest link in any security set-up, so adequate segregation of duties is one of those controls that safeguard against abuse. Furthermore, the implementation should be based on a sound information security policy on logical access controls (refer ISO 17799) and procedures that management must ensure that they are being adhered to.
Conclusion
Robust and resilient two-factor authentication is imperative for financial institutions engaging in any form of electronic banking or commerce.
However, the success of a particular authentication tool or methodology depends on more than the technology.
It also depends on a thorough risk assessment, appropriate information security policies, related procedures and controls. An effective authentication method should be implemented on an enterprise-wide basis, have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.
Token cards provide an effective and adequate protection against password or PIN code guessing because the token generates a one-time PIN for every logon session or a unique and dynamic authorisation code that is sent to verify and validate the transaction. In addition, these tokens are easy to use and relatively inexpensive for the organisation to finance.
Strong two-factor user authentication is one of the building blocks of a security methodology. It also forces user accountability, be it internal back-office users or customers alike.
Finally, it plays an important role in providing the customer with a robust and secure application that ensures confidentiality.
| |||||||||||||||||||
| |||||||||||||||||||
|
| About Us | Copyright | Privacy Policy | Terms of Use | Contact Us | Bookmark Us | Site Map | IP Locator |
| ||||||||||||
|
|
|
| |||||||||||
|
| |||||||||||||
|
|
|
| |||||||||||
