How to protect online transactions with multi-factor authentication
Organisations in the US are now affected by federal guidelines recommending multiple layers of security controls
By Julie Sartain | Network World US | Published: 14:26, 07 February 2012
The trusty telephone is emerging as one of the key elements in new multifactor authentication schemes designed to protect online banking and other web-based financial transactions from rapidly evolving security threats.
New federal guidelines in the US, which took effect last month, recommend multiple layers of security controls beyond the traditional username/password, particularly out-of-band authentication methods.
While the Federal Financial Institutions Examination Council (FFIEC) rules apply specifically to banks, credit unions, mortgage lenders, and savings and loans, every organisation that deals in online financial transactions such as shopping portals, credit card companies and online bill payments is affected.
Related Articles on Techworld
One of the main weapons in the today's hacker arsenal is password phishing. In this scenario, hackers use phishing emails to steal online banking credentials and break into user accounts.
In response, banks and other financial institutions have deployed technologies like device identification, challenge questions and one-time password tokens, according to Sarah Fender, vice president of product management at authentication vendor PhoneFactor.
Forrester analyst Andras Cser emphasises that login IDs and passwords are no longer enough. He says preselected images, challenge questions, device information, and device reputation are all effective second factor authenticators.
But the problem with many of those "in-band" authentication methods is that the device itself might be infected with malware, adds Fender.
Plus there are more advanced threats, such as keyloggers, Man in the Browser (MITB) and Man in the Middle (MITM) attacks, which require even more sophisticated security measures.
Gartner analyst Ant Allan said: "Virtually every authentication technique can be compromised or circumvented. Authentication is better than legacy passwords to minimise the risk for 'quick and dirty' attacks such as phishing, but there is a limit to the utility of seeking higher-assurance methods that are harder to compromise directly. At some point, the attackers will move to MITB attacks, which hijack already authenticated sessions, effectively bypassing authentication, to manipulate transaction details or insert bogus transactions."
Allan says there are two advanced technologies that are effective in combatting the current crop of attacks: Web Fraud Detection and Transaction Verification.
According to Allan, Web Fraud Detection evaluates contextual information about the user's connectivity (endpoint identity, geographic location, and so on) and looks for anomalous transactional behaviour (compared to user history and to other users; e.g., are multiple users making transfers to the same new account?).
Transaction Verification uses a number of techniques to confirm that the transaction details received by the bank (a) originated with the user and (b) are what the user intended. Interactive transaction confirmation via an out-of-band method, as outlined in the FFIEC guidance, is effective for desktop browser sessions and is possibly the most attractive option.
Of course, there are even more robust security methods - OTP (one-time password) hardware tokens with PIN pads and the EMV (Europay, MasterCard, Visa) payment card readers - but banks have run up against customer resistance to these types of security measures.
Here are some of the current options for effective authentication of online transactions.
- Risk-based authentication
An example of risk-based authentication is CA Arcot's RiskFort, a sophisticated tool that incorporates analytical fraud models based on a statistical analysis of transaction and fraud data.
"RiskFort collects a wide range of data about each login or transaction to produce a risk score derived from analytics and rules," says Ram Varadarajan, general manager at CA Arcot Security solutions, CA Technologies.
He adds, "The risk score determines what action, if any, to take for a given transaction, such as requiring a higher form of authentication. This is a scenario where risk-based authentication works collaboratively with strong authentication. If a transaction appears suspicious, another factor of authentication can be invoked to 'step up' the authentication and security."
- Versatile authentication platforms
Entrust offers IdentityGuard and TransactionGuard. "IdentityGuard handles strong authentication in breadth as well as depth. It supports hard tokens, soft tokens, smart cards, SMS tokens, geo-location, eGrids, and more. Authentication could be relatively simple for clients using their own computers from their own homes, but increases in depth if they are using a hotspot, and even more if they are in another country," says Jon Callas, CTO at Entrust.
One improved technology is Entrust's patented electronic grid (eGrid), a simple, two-factor authentication system that requires little to no supporting technology. It's a grid of two-character codes indexed by letters and numbers. A bank can ask a user; for example, to provide the codes for E4, A1, H3. The user looks them up on his/her eGrid and replies CX, G3, 23 (which is, obviously, different on every card), and if the corresponding table matches, then the authentication is correct.
"Note that it doesn't require users to have a smart card, a token, or any other supporting technology," adds Callas. "It can be printed, kept as a picture, embossed on a badge or almost anything else. I have one that's a picture, which I keep on my iPhone, and I use it to authenticate to web mail."
- Phone-based authentication
"Phone-based authentication is swiftly becoming the method of choice," says PhoneFactor's Fender. "These systems leverage the user's telephone as the trusted device for the second factor of authentication. Telephones are extremely difficult to duplicate and phone numbers are extremely difficult to intercept. The combination of the phone and a username with password yields strong, multi-factor authentication with minimal impact on the user experience."
She added: "PhoneFactor users can choose whichever authentication method they prefer such as phone call or text message, and all these solutions provide the same level of out-of-band security and convenience. Additional security features include PIN mode, voiceprint, and transaction verification, which can be mapped to particular users and/or levels of risk.''
- Image-based authentication
One clever, new technology by Confident Technologies uses images on a touch screen phone for authentication. Unlike multi-factor authentication processes that send a one-time, text message, pass code to the user's phone, this technology provides a secure second factor by encrypting a one-time pass code within an image-based authentication challenge.
"When an authentication requirement is triggered, users identify pictures on their phone screen that match their previously selected, secret categories," says Curtis H. Staker, CEO at Confident Technologies. "For example, if a user preselects the categories called cars, food, and dogs, a grid of 12 (or so) images appears that contains various images, three of which fit their categories such as a Corvette, a hamburger, and a beagle. By correctly identifying the pictures that match their secret authentication categories, users are, essentially, re-assembling the one-time pass code that was encrypted within those pictures. Importantly, the process remains completely out-of-band from the web session."
"This concept of image categories is intriguing," says Scott Crawford, managing research director at Enterprise Management Associates, "Particularly for mobile or touch screen form factors (where text input can be a challenge) and for cross-cultural or multi-language use cases, but the technique may beg the question as to whether or not users can consistently remember the categories they have chosen."
Staker adds that the specific images displayed are different every time, but the users' categories always remain the same. "This makes it difficult for anyone else to determine the users' secret categories. Even if someone else gained possession of the mobile phone or intercepted the communication, they would not be able to authenticate because the one-time password is encrypted within the images," adds Staker.
Biometrics include authentication properties such as face recognition, fingerprint identification, hand geometry biometrics, retina scan, iris scan, digital signatures, and voice analysis.
"I'm not sure if biometrics is considered new, but it's definitely improved, and it's an area that ebbs and flows, as far as interest is concerned," says Chris Silva, mobile industry analyst at Altimeter Group. "The newest buzz in biometrics that's garnering attention in the mobile space is facial recognition. It has a lot of promise for the devices that we all carry around with us, which have limited physical keyboards (or none at all) and often need to be accessed while we're multi-tasking,"
"Voice recognition, face topography, and iris structure are emerging technologies that also look attractive when you can leverage a user's mobile phone as a capture device (all have mikes and most have user-facing cameras)," adds Allan. "Most of these technologies are relatively passive and unobtrusive, making for a good user experience."
Many companies are experimenting with biometrics as an additional layer of security; for example, PhoneFactor uses Voiceprint Verification as a third factor of authentication on top of its other offerings.
"Using an existing voice channel, PhoneFactor simultaneously verifies something you have (your telephone) and something you are (your voiceprint) for the second and third factors of authentication," says Fender. "Voice verification provides one of the strongest levels of authentication without the high costs typically associated with biometric authentication."
As everyone in the security business knows, there is no perfect answer. Gartner's Allan points out that "whatever the desirable level of assurance, it has to be balanced against cost (deployments for hundreds of thousands of users are very cost sensitive) and user experience. We know that bank customers may change their banks if new security features such as authentication degrade the user experience: in a survey a couple of years ago, Gartner found that 3% of customers had done so, and a further 12% considered it," adds Allan.