10:37 AM
Intruder Alert
BUILDING A BETTER ID
A total security system starts with accurate identification (sidebar, page 26). But the identification challenge extends way beyond the banking industry.
""Since September 11th, the need to accurately identify who you are, as opposed to what identification card you carry, or even what password you know, has become a worldwide concern,"" said Charlie Johnson, chair of the technology and emerging companies practice group at Hill & Barlow, a Boston law firm.
Indeed, the province of e-commerce itself has become a matter of the national interest. ""Today, homeland security is largely about data and communications,"" said Johnson. ""It involves the linking of police, firefighters, and EMTs. It involves collecting patterns of disease from hospital emergency rooms across the country, and it also involves mechanisms for tracking people, cargo and vessels, beginning at our nation's borders.""
Accordingly, biometrics will likely come of age in a government setting, observers say. For example, face recognition technology, such as that from Viisage, Littleton, Mass., is being used by several states to cross-check digitized photos in motor vehicle databases, seeking drivers with duplicate licenses. Standardization of driver's licenses, under consideration with the Driver's License Modernization Act of 2002, would help to ensure that each driver is issued only one license, and that the holder of a license is the person to whom it was issued.
Technology companies see immense opportunity in a biometric world. ""I know one major data mining company that is today exploring how biometric technology can be used together with credit cards, Internet use and travel databases to achieve near real-time tracking of foreign visitors,"" said Johnson. ""On the other hand, privacy advocates are rightfully concerned that these inquiries can become indiscriminate or extend beyond their stated purpose.""
As a result, it may be quite difficult for the government, let alone a corporation, to assemble a database of biometric information about its customers. ""In the U.S., the notion of centrally-stored biometrics is not going to be socially acceptable for some time,"" said Charles Walton, president and CEO of Caradas, Framingham, Mass. Rather,biometric information could be stored on a smart card and remain there, he noted. ""I need to authenticate myself to the card. The card authenticates to the server.""
While few banks are using biometrics for customer authentication, other innovative techniques have taken root. For example, RSA Security, Bedford, Mass., provides its SecureID token to 88 top banks around the world. The SecureID token can take the form of a credit card, a key fob the size of a remote car door opener, or a software program resident on a mobile device. It generates an unpredictable six-digit passcode that's used in combination with a traditional PIN.
""We actually have a lot of banks in Europe deploying these tokens out to their consumers, because they have such a strong desire for privacy within their accounts,"" said John Worral, vice president of worldwide marketing for RSA Security. ""In America, it's pretty much inside the banks and bank-to-bank.""
However, individuals in the United States with a corporate-size net worth and a commensurate level of online trading activity have already discovered SecureID. Barclays Global Investors (BGI), a San Francisco-based investment management subsidiary of Barclays Bank PLC, manages $126 billion in client assets of U.S. institutions, financial intermediaries and extremely wealthy individuals.
Needless to say, these are not day traders shuffling in and out of penny stocks. ""We have accepted a $440 million trade-that was one trade,"" said Rochelle Siote, head of U.S. client relationship support at BGI.
Systems that allow this level of online trading activity must adhere to a corresponding level of security. ""It's fairly strict,"" said Siote. ""It has to be, given the size of these accounts.""
The first level of security takes place at the account opening stage. ""When the clients come into Barclays, we have what's called an authentication form,"" said Siote. ""It tells us at BGI that these, say, five individuals are authorized to conduct these types of activity on behalf of our client.""
Authorization to trade or wire money can be granted independently for each individual. Then, BGI issues each authorized user with an RSA SecureID token.
Secure authentication hasn't simply created confidence among the bank's clients; it has also cut costs. ""Before, the client would call into an 800 line,"" said Siote. ""We'd have a person on the other end take the trade, we'd read the trade back, fax them a confirm, they'd review it, sign it, fax the confirm back to BGI, verify the signature and then we'd release the trade into the system.""
Now, it's a seamless, paperless process with fewer potential points of failure. ""As we moved to a Web environment, the clients were seeing the benefit,"" said Siote. ""Thousands of trades that were previously done manually are now being done in an automated manner.""
SECURE E-COMMERCE
While the SecureID authentication approach works well for individual-to-bank communications, it gets a bit more complicated in an Internet environment, with multiple consumers transacting with multiple vendors using multiple banks. Online transactions comprise only an estimated 3% of card transactions, but about half of the fraud.
That's why both MasterCard and Visa have introduced programs that create an extra level of authentication for e-commerce: Verified by Visa and MasterCard Secure Payment Application (SPA). ""These standards will create, over the Internet, a guaranteed environment where people can sign receipts, and the payment to the merchant will be guaranteed,"" said Naftali Bennett, president and CEO of Cyota, based in New York. ""A bank that does not implement it will begin eating a lot of fraud.""
Cyota is currently working with Bank of America, Bank One's First USA division and TSYS on implementation of the new standard.
The user experience will include an additional step. ""You'll be buying at a Web site and you fill in your regular credit card number,"" said Bennett. ""Towards the end of the transaction, a receipt will pop up with the details-your name, the time, date and amount of the transaction-and you'll be required to fill in your password, or if you will, your signature.""
The password, which is a ""shared secret"" between an issuing bank and a consumer, cannot be disclosed to a merchant. Furthermore, to ensure that a fraudulent Web site doesn't mimic the pop-up receipt, the bank will send a custom message to the cardholder.
""It's a reverse password or reverse PIN,"" said Jim McCarthy, senior vice president for new market deployment at Visa. ""The bank presents me with data that only I should know.""
By requiring verification through the issuing bank, the responsibility to safeguard credit card information shifts away from hundreds of thousands of online merchants to the associations' member banks. ""The merchant is now, for the first time, protected against fraud,"" said McCarthy. ""The bank owns that risk and owns that experience.""
A password or its equivalent may eventually take hold at the point of sale, especially as merchants upgrade their terminals with Internet connections.
""Over time, as the networks change, we want to kind of harmonize the consumer experience,"" said McCarthy. ""We could take this technology out to the physical world in the future, and use the same password in the online world as in the offline space.""
The ""shared secret"" between the bank and the issuer doesn't have to be a password. It's up to the card issuer whether to authorize a transaction using a digital signature on a smart card, a ""ping"" from a consumer's mobile phone, or a passcode from a SecureID. But no matter how it's implemented, the issuer-verification strategy promises to make stolen credit card numbers as useless as the serial numbers on a pile of dollar bills.
Even though shutting down that avenue of fraud makes the financial industry a more tempting target to its enemies, bankers are fortunate to have the technology and the willpower to meet the information security challenge.