It has been but a decade since the introduction of the modern browser, the dawn of the World Wide Web and commercialization of the Internet. The impact on the financial industry has been profound; the Internet has provided a channel that dramatically reduces costs of activities ranging from account acquisition (e.g., credit cards and loan origination) to customer servicing (e.g., statement servicing and bill payment) and has enabled the rise of e-commerce.
The same environment that has created a global village for business has provided a global target for fraudsters, hackers and other enterprising criminals looking to abuse this medium. Increasingly, organized crime factors in with the number and breadth of security and fraud issues that have been multiplying dramatically. Fraudsters have a broad range of tools for pilfering and using consumer data. Account takeover and identity theft, terms unknown just a few years back, dominate the news. An entire new taxonomy is required for discussing the threats: Malware, worms, Trojan horses, keyboard loggers, spyware, hacking and most recently "phishing" relentlessly attack consumers and their PCs.
At the heart of all of these issues is a clear need for strong authentication, not just of the consumer by the bank but also of the bank by the consumer. However, virtually all systems today rely on user ID (UID) and a password for consumer authentication, which is keyed into a PC, frequently under the watchful eye of a piece of spyware. (According to a 2004 study by EarthLink, the average PC contains 26.5 pieces of spyware!)
Europe and countries in other regions are in the process of converting to smart cards through the Europay-MasterCard-Visa (EMV) Initiative. In Europe, there are over 250 active smart card programs. The impetus for migration to smart cards in Europe has been the high cost of fraud combined with the expensive telecommunications environment necessary to provide 100% authorization. France, which had an effective fraud rate of 18 basis points in 1991, determined that smart cards were a cost-effective solution. By empowering the card, as a proxy for the issuer, to perform many of the authorizations, French banks were able to reduce fraud to one basis point while ensuring 100 percent authorization by the issuer. Fraud, however, never is eradicated; it simply relocates to the point of least resistance. For French cards, it hiked across the Pyrenees, where stolen the cards were used in point-of-sale (POS) terminals that did not support smart card technology.
By the start of the millennium, two European vendors, Vasco (www.vasco.com) and Xiring (www.xiring.com), had developed small hand-held devices (HHDs) that interfaced with smart cards to provide proprietary solutions for cardholder authentication and digital signatures for online proprietary technologies. Vasco's Digipass and Xiring's XiSign provided alternatives to UID plus password. (Note: While these devices are available as connected terminals, the HHD is less expensive and more portable, and it avoids connectivity issues.)
The online application prompts for an authentication value, known as a one-time password. The cardholder inserts the smart card into the HHD and is prompted for the PIN. The PIN is then authenticated by the card, which generates a unique one-time password encrypted by a secret key shared with the card issuer (bank). The cardholder enters the one-time password into the PC to be verified by the issuer using a hardware security module (HSM). ABM AMRO, Cortel and Rabobank Netherlands implemented Vasco's Digipass solution; Credit Mutuel, Barclays and Banques Populaire deployed Xiring's proprietary XiSign application.
In 2002, MasterCard's Chip Center of Excellence developed a specification, Chip Authentication Programme (CAP), to standardize this process based on EMV. Simultaneously, in the U.K., the Association for Payment and Clearing Services (APACS) wrote a specification for use of HHDs for online financial services in the U.K. By late 2002, MasterCard had reconciled CAP to meet APACS' requirements. MasterCard also integrated CAP with SecureCode, its implementation of the 3DSecure protocol. Today, CAP provides smart-card-based authentication for both e-commerce and online financial applications, providing consumers with a single uniform experience, and they can use the same PIN they use in the physical world. BarclayCard is the first program to use CAP for authentication for e-commerce; banks in nine other countries are deploying the technology for both online financial applications and telephone authentication. Vasco and Xiring, as well as ActivCard (www.activcard.com), have certified their devices with EMVCo as Level 1 compliant and have adapted their technology to support MasterCard's program.
The technology provides a single process for both strong and, in the online environment, secure authentication for a wide range of applications. Beyond the Internet, banks are finding that this technology works well for telephone commerce and authentication of customers when they attempt to change account information over the phone. Phone and mobile communications are equally at risk as methods for account takeover and identity theft.
Although the next generation of this technology is not yet implemented, engineers are looking at it to provide bilateral authentication to address phishing. One approach under consideration is to have the HHD display a 12-digit one-time password but have the consumer enter only the first (or last) eight digits and let the host application return the remaining digits. The consumer or the device could then authenticate the server. This simple modification can resolve the dilemma of bilateral authentication and the challenge of phishing.
Credit card fraud in the physical world remains relatively infrequent at less than 10 basis points, but the Internet has altered the equation dramatically. When financial institutions compute the total cost of fraud, both direct and indirect, as well as the significant risk of loss of confidence in the channel itself, the overall cost to use smart cards as portable tokens may seem like a modest investment by comparison. This technology can provide not only secure and strong authentication for all Internet-based financial applications but also authentication over voice channels, which is just as critical in today's environment. The versatility of these hand-held devices may in fact be the "killer application" the market has been searching for to justify the investment in smart card technology.
This article is based on TowerGroup research by John Gould, director of the Consumer Lending and Bank Cards practice at TowerGroup, a leading advisory research and consulting firm focused on the global financial services industry. Mr. Gould can be reached at [email protected].