Choosing the right Two-Factor Authentication for Internet Banking

How to balance banking security and regulations with customer convenience.

INTRODUCTION
Security has been a key barrier to utilising Internet Banking solutions in India. The recent instances of fraud involving leading banks have further made this a prime customer concern. A flood of new security attacks targeting banking customers over the last twelve months has forced the Reserve Bank of India (RBI) to introduce new directives covering the recommended use of two-factor authentication by banks for mobile banking and online card not present transactions. Soon this may be extended to online banking as well. The RBI believes that single-factor authentication (the use of a username and password) is now inadequate to protect users against recent scams such as phishing, pharming and Trojans. All Indian online banks have been required to implement twofactor authentication, which relies on something the consumer has to more strongly identify the individual. The big challenge that banks now face, is how to quickly introduce two-factor authentication, but ensure that the chosen method is convenient enough for broad consumer adoption while keeping costs down. difficult, as a would-be attacker must steal both knowledge and property. It also means that phishing and pharming attacks fail, as the user does not have a password to divulge. Plus, onetime passwords can be used to supplement existing security, for example, protecting highervalue transactions. Two-Factor Authentication also brings added business benefits, by increasing the dialog between your brand and your customers. This enables you to: Maintain customer trust and loyalty by providing a secure online banking solution Reduce fraud, and the associated costs incurred through recovery and administration Protect and strengthen your brand by minimizing the risk of online identity fraud Attract new customers with a convenient, secure, and easy-to-use solution

INCONVENIENT HARDWARE TOKENS

Although two-factor authentication solutions have been available for a number of years, they have utilized proprietary pieces of hardware such as authentication tokens or key-fobs. Although sufficient for authenticating hundreds of users, hardware tokens prove too costly to deploy in consumer environments for the following reasons: 1) Each token needs to be securely delivered to the consumer through a courier service 2) Hardware tokens are proprietary, and hence expensive

WHAT IS TWO-FACTOR AUTHENTICATION?

Two-Factor Authentication (2FA) augments user knowledge (usually in the form of a username and password) with the requirement to carry a personal possession, which is used to receive a one-time (single-use) password. 2FA can be used to either strongly identify a user, or digitally seal an individual transaction. This combination of knowledge and a personal possession makes identity theft much more

Copyright 2005 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.

3) Hardware tokens have a limited lifespan, and regularly break, or lost or misplaced, rendering the user helpless To be broadly embraced by the consumer market, the convenience barrier must be set as low as possible.

This can be used in one of two ways either: a) Out-of-Band authentication The consumer receives a one-time password via SMS or e-mail after entering their username and password OR b) The consumer runs a Java based software token on the mobile phone to create a serial based one-time password after they have entered their username and password

SOFTWARE TOKENS
A software token based authentication solution is designed for consumer environments where millions or even tens of millions of users need to be strongly authenticated using something that all of us carry (e.g., mobile phones). It offers the highest levels of security in a comprehensive, scalable and very costeffective solution.

Figure 2: Using a software token to generate a One-Time Password

Figure 1: Using an SMS based One-Time Password

USER AUTHENTICATION Software token based authentication solutions are based around the consumer carrying a commodity device such as a mobile phone, BlackBerry or PDA and using this in combination with their username and password, to strongly authenticate themselves.

TRANSACTION SIGNATURES Once users have authenticated themselves using two-factors, they may be able to view their account balance, order checks, or do low-value transactions. However, for high value transactions, banks and consumers also want the ability to digitally seal an individual transaction. Transaction Signing software tokens allow users to enter all transaction data in the token, generate a transaction signature corresponding to the values of the transaction and then enter the signatures on the online application. The server will process the

Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.

transaction only if the transaction signature matches the transaction values.

Moreover, it can assure that network configuration settings, including IP address, open ports, domain and registry settings, and latest operating system and security patches installed. End-Point Security Assessment can also examine the browser to ensure it has not been tampered with by a Trojan. ENDPOINT ABOLISHMENT POINT The 2FA solution should have an End-Point End Abolishment module that can remove all traces of a customers activity including web page caches, registry keys, downloaded components and files, and cookies from the system once they log off. This enhances security in a shared-workstation shared environment like cyber-cafes, kiosks, etc SECURE ACCESS GATEWAY GATEWA The 2FA solution should provide a Secure Access Gateway (Access Point) which eliminates the need of making any changes to the existing Internet banking application for enabling strong multi factor authentication.

This method prevents Man-In-The-Middle / Man-InThe-Browser attacks since the digital signature is firmly connected to the specific transaction signed by the client and cannot be used by the attacker in order to divert any payment. DIGITAL CERTIFICATES , For corporate banking customers, banks are advised to deploy a PKI-based based digital certificate authentication mechanism. Digital certificates ensure non-repudiation a key concern for banks. The 2FA solution should not only be able to verify digital certificates but also provide a PKI platform in the virtual appliance form that starts out-of-the-box and produces your first digital certificates and smart cards within a couple of hours. The PKI appliance should comprise of a . Certifying Authority with auto-enrolment an OCSP enrolment, responder, a user-friendly credential lifecycle friendly manager and a web-based self-service portal service portal. ENDPOINT ASSESSMENT The definitive way of preventing Trojans from stealing user credentials is to make sure the users computer has no such Trojan installed. The 2FA solution should provide an End End-Point Security Assessment module, which can check the users machine for any number of threats, including virus, mber spyware, and Trojans before any access is granted.

The Secure Access Gateway also enables any new form factors produced by the vendor to be rolled out to customers without making any changes to the internet banking application or upgrading the backend authentication system. ZERO VENDOR LOCK-IN LOCK Choosing a vendor that supports and fully complies with the OATH (Open Authentication) reference architecture ensures banks can future proof their security implementation. OATH standard prevents vendor lock-in and ensures lock lowest cost of ownership. With an OATH-compliant architecture in place, banks can buy tokens from toke any of the 100+ vendors of OATH-compliant OATH tokens.

Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other tr product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies respective companies.

PROHIBIT SESSION-SAVING COOKIES From the customers perspective, it is often valuable to be able to resume a session after changes to networking settings, accidental reboot, and similar events. However, these approaches pose grave security vulnerabilities. Attackers can access the session cookies and re-engage the session from their computers if precautions arent taken. While valuable to hold state information about the active session, cookies and other snail-trail information must be secured during and after the session. The 2FA solution should stores cookies in memory rather than into the browsers temporary folders. This approach thwarts an attackers attempts to download cookies from a consumers computer and use it to re-engage the session illegally. STRONG ONE FACTOR AUTHENTICATION The 2FA solution should support emergency access capabilities by strong one factor authentication in case of lost, misplaced, or damaged tokens. The 2FA solution should provide a web-based token that is delivered through a web browser to the end user when requested. It should require no preconfiguration and should use either ActiveX or Java depending on what is available on the Internet connected device.

This provides protection against keyboard loggers, mouse recorders and video capture Trojans. Generate the OTP locally and never send the PIN across the Internet to protect against replay attacks. Be only valid to use once per session and is controlled by time-outs. Use JPEG bitmaps for protection against Trojans that use OCR scanning.

TOKEN DISTRIBUTION To ease distribution of the software tokens the 2FA solution should includes a Distribution Service that enables automated token distribution, installation and setup for software tokens. The Distribution Service should ensure that this process is fully automated for smooth and easy end user deployment. All the end user has to do is follow an URL link sent to the end user by the server in an SMS and within seconds the user should be equipped with two factor authentication. This is a URL used by the users web browser, and should not require the software token application to be installed separately. INTEGRATION WITH ALL BANKING CHANNELS It should be possible to integrate the 2FA solution with all banking channels such as Internet Banking, Phone Banking, Mobile Banking, ATM Banking, etc. To ease integration, the 2FA solution should support standard interfaces such as RADIUS and also provide a secure web-services based interface. UNIFIED AUDIT LOGS, ALERTS, REPORTS The 2FA solution should provide a complete, unified audit log of strong authentication, end-point security, access, and session clean-up. The audit log should be syslog compatible to enable sharing with Identity Management, Business Process Monitoring, and System Management solutions. The 2FA solution should allows alerts to be set on system events so administrators can be notified if something occurs, making problem resolution easier and less time-consuming. This enables administrators and help desk personal to work

To protect against hostile code such as key loggers and Trojans the web-based token should - Include a scrambled keyboard that can be configured to only accept input from the online keyboard. The scrambling protects against Trojans or key loggers that records screen coordinates and key strokes. - Accept PIN both with a keyboard (for the letters) and with a mouse (for the numbers).

Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.

proactively and more quickly respond to incidents. The alerts should be distributed using either SMS (mobile text message) or e-mail. The 2FA solution should report snapshots of activity at any given time in both real-time and over a historical period, or statistics showing for example the behavior of users or usage of internet banking. INDIAN BANKING CUSTOMER REFERENCE To ensure technical viability, the 2FA solution should have been implemented within at least one Bank in India and should be successfully operational for at least 3 years. LOCAL 24X7 SUPPORT The 2FA vendor should have a 24x7 support setup in India dedicated for APAC customers which provides: - Telephone and email based support would be available to the bank 24x7 - For assistance when troubleshooting the 2FA solution. - As an advisor for version handling of the 2FA solution - Make customer aware of releases, patches and current downloads. - Start working on a case within 4 business hours when a support case is logged.

SUMMARY
If you are currently evaluating two-factor authentication solutions for your internet banking, this guide provided the information and tools to help you make the right decision. We examined the role of two-factor authentication in addressing todays business opportunities and challenges as well as discussed the characteristics of an effective solution to ensure that the chosen solution is convenient enough for broad consumer adoption while keeping costs down and security risks minimal.

BUYERS CHECKLIST
Feature Out-of-band authentication using SMS/email Mobile-based software tokens Transaction signing software tokens PKI appliance for digital certificates Web-based tokens Endpoint assessment Endpoint abolishment Secure access gateway OATH compliant Prohibits session-saving cookies Fully automated token distribution Provide secure web-services API Unified audit logs, alerts, reports Indian banking customer reference Local 24x7 support Yes No

Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.