Is it time for 3FA(Factor Authentication) in Indian ATM's?

The trigger for this thought is this article Economic Times article

It seems the speakers at the Meet, have a very strong mindset to blame the bankers especially bankers associated with ATM Operations for the fake notes menace.

Maybe the Speakers have not read this article Security Features of Indian Notes

The aim of this article is not to explain what is 1FA(factor authentication) or 2FA(factor authentication) or 3FA(factor authentication) but to analyze the pros and cons of 3FA(factor authentication)

3FA(factor authentication), in simple terms is the verification of the 'User's request' by three separate steps to conform that the 'request' has been raised by the correct user only and not by any 3^rd party.

3FA is not 100% secure, but 99.9999% secure. Nothing in this world is 100% secure.

ATM's in India, currently have 2FA I.e 'something which a user has – ATM card' and 'something which the user knows – PIN (Personal Identification Number)

There is a wide choice for the 3^rd FA(factor authentication),

1. Biometric (UIDAI being the best example) or
2. OTP (One time password)
3. Security Tokens or
4. Card Lock-in options
5. Transaction Authentication

The Pros and Cons of each option in brief are us under :

1. Biometric (UIDAI being the best example)--

PROS :

a) Tools exist to make this reality.

CONS:

a) UIDAI is yet to stabilize.

b) The implementation and the maintenance costs right now are substantial.

100. Biometric verfication tools on a large scale are not common in India.

2. OTP (One time password)--

PROS: -

a) OTP's are becoming common.

b) The implementation and maintenance costs are less

CONS: -

a) OTP features need to be integrated into the ATM network. This is not a big inhibitor as majority of the ATM's are part of the NFS (National Financial Switch) network now. The only factor which might be a stumbling block is the validity time period of the OTP generated I.e for how many hours the OTP generated should be live. Currently the industry average is 2 hours for netbanking non-financial OTP's.

For financial OTP's the life is few seconds.

3. Security Tokens--

PROS:

a) Proven technology

b) Costs are less

CONS:

a) Integration with the ATM's network required.

b) Who will bear the cost of the Security token?

4. Card Lock-in Options--

In simple terms, the Card Locking feature means allowing Bank consumers the option to lock and unlock their bank cards to permit or deny account use at automated teller machines (ATMs) and point-of-sale (POS) devices or on internet sites.

Some Banks have already opted for this feature. Check out at Card Lockin, Diebold cardlock in feature

PROS:-

a) Brand new concept, hence to encourage Banks to hop on to the bandwagon.

b) SMS/Branch/Phone/Net Banking channels can be multiple-touch points for this option.

5. Transaction Authentication. Transaction authentication means using an additional electronic signature generated on the basis of the amount to be withdrawn from the ATM. The electronic signature can be a OTP which is generated only after the amount tobe withdrawn is keyed into the ATM. However, the main draw back is that the time-frame to complete the whole cycle of ATM withdrawal is short and introducing Transaction Authentication in the present setup is a challenge.

'SafeNet eToken 3500' – New Tool to combat Online Banking fraud. Which Bank will introduce this in India?

Indian bank customers especially internet banking customers are being made aware of the need for efficient security practices.

As the number of internet banking users is on the use, the threats t internet banking too is in on the increase.

It is a cat and mouse game between Indian Banks and the internet fraudsters in the cyberworld.

The most common terms in internet security is the MITM(Man-in the Middle) or MITB (Man in the Browser) scenario.

Safenet, the 'Data Protection Company', as it's punchline, announced the launch of a Comprehensive Solution for Addressing all Risk Levels in Online Banking.

The Solution is 'SafeNet eToken 3500'.

The main differentiator between 'SafeNet eToken 3500'  and its competitors is the ability of eToken 3500 to read transaction data from the web browser and than generates a unique electronic signature that is used to validate the transaction.

Yes,  'SafeNet eToken 3500' , reads the transaction data from the web browser. Well, check out the demo @ Demo

The following are the steps to secure the financial transaction by 'SafeNet eToken 3500'

1. User logs into the Bank's internet banking site by signing with his/her login id and OTP(One time Password) generated by  'SafeNet eToken 3500' .
2. User inputs the Sum of amount tobe transferred along with the Account number.
3. The  'SafeNet eToken 3500'  is to be held to the computer screen and 'SafeNet eToken 3500', reads the amount and the account number.
4. Basing on the same, an Electronic Signature is generated by 'SafeNet eToken 3500'.
5. The Electronic Signature I.e an number is keyed into the Banks internet banking site.
6. If the details tally, the transaction is approved.

The  'SafeNet eToken 3500'  adds an additional security layer to the transaction. The advantage of logging into the banks website with  'SafeNet eToken 3500' , OTP is that the user need not remember his/her password. This frees the banks from investing in Password generation, storing etc job and also ensures that the log-in is safe 100% every time.

Hm, not sure, when this will be introduced in India?

What is (Man in the Middle attack) MITM scenario? 

(Man in the Middle attack) MITM is an attack in the cyberworld, which involves intercepting a communication between two systems.

The motive is to intercept the exchanged data and inject false data. The false data in internet banking can be a change in the intended beneficiary or the amount of the respective transaction.

The man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.

How did the (Man in the Middle attack) MITM gets its name?

The attack gets its name from the ball game where two people try to throw a ball directly to each other while one person in between them attempts to catch it. In a man in the middle attack, the intruder uses a program that appears to be the server to the client and appears to be the client to the server.

What are the various techniques to thwart (Man in the Middle attack) MITM?

Popular protection techniques against MITM attacks use authentication tools that are based on:

Public key infrastructures : -

such as:

1. Secret keys (which are usually high information entropy secrets, and thus more secure), or

2. Passwords (which are usually low information entropy secrets, and thus less secure)

3. Latency examination, such as with long Cryptographic hash function calculations that lead into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party

4. Second (secure) channel verification

5. One-time pads are immune to MITM attacks, assuming the security and trust of the one-time pad.

6. Carry-forward verification

What is (Man in the Browser) MITB  scenario?

In (Man in the Middle attack) MITB, a trojan infects the web browser, and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.

Security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions, will not thwart (Man in the Middle attack)  MITB attacks.

The only way to repulse a (Man in the Middle attack)  MitB attack is by utilising transaction verification.

As the (Man in the Middle attack) MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., it is therefore virtually undetectable to virus scanning software.

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. T

Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. Transaction Verification has to be done by an Out of Band (OOB) mechanism to counter (Man in the Middle attack) MITB attacks.

Market for Indian Mobile Payment Segment - US$350 billion by 2015 - Is your Bank ready to be part of it?

The Interbank Mobile Payment Service(IMPS) launched by National Payments Corporation of India (NPCI) in June 2010, received a boost as Citibank has introduced a new Cash Management Solution, around it.

The solution has been branded as Citi Cash-to-Mobile and it was launched last week, with a pilot in Hyderabad, Andhra Pradesh with the retailer's of Hindustan Coca-Cola Beverages Private Limited (HCCB), the bottling operation of the Coca-Cola Company in India, being the privileged lot.

The aim of this product is to completely automate the Receivables of a corporate, thereby freeing the company resources to concentrate on other activities.

Aimed at Corporate and Institutional clients, this market first solution empowers corporate customers to receive funds from retailers or end customers instantly via mobile.

As a Safe ePayments motivator, this new development is very exciting and the publicity surrounding this launch will now encourage more and more banking consumers, to experience the magic of IMPS.

Mobile Money Identifier (MMID) the  seven digit random number issued by the bank upon registration for IMPS is a necessity for Citi Cash-to-Mobile to succeed.

The Process flow is as under:

01) The corporate opens a Banking Account with Citi and a MMID is issued to it.

02) The MMID is communicated to it’s distributions channel partners.

03) The distribution channel partners MMID’s are obtained and updated in the Bank’s as well as the Corporate’s  Enterprise Resource Planning solution

04) On the payment due date, a SMS is flashed by the corporate, reminding it’s channel partners on the bill amount due.

05) The channel partners transfer the funds via IMPS module.

06) As the channel partners MMID is stored on the  Enterprise Resource Planning solution, the reconciliation is done, and the MIS reports forwarded to all concerned.

06) As IMPS works 24 hours a day, seven days a week, the reconciliation can be done hourly, and the channel distributors be encouraged to remit money any time of the day or night.

07) The common excuse of ‘bank is closed’, will not be a show-stopper for Bill Payments.

Short term impact: -

a) 30 + Banks are on IMPS, but the remaining Banks have to enter the IMPS circuit, as otherwise the corporates might encourage their channel partners to move to banks offering IMPS.

b) Banks have to offer the complete suite of mobile banking services to enable its customers to obtain the full benefits of IMPS.

c) The CASA average balances at the Sending Bank and Receiving Bank, will increase as the Sender’s have to maintain adequate balance to transfer and the Receiver balance will go up correspondingly.

d) Banks too have to move to a 24*7 Core Banking Solution (CBS), as now funds can move in, move out 24*7.

e) The retail customers once are familiar with IMPS, will be encouraged to try out this  channel for other payments/receivables too. This will provide the  much needed jump for IMPS.

Security:

01) The Amount Limits are as under: -

With end to end encryption: A daily cap of Rs. 50,000 per customer per day for both, fund transfer and transactions involving purchase of goods and services

Without end to end encryption: Transactions up to Rs. 5,000 can be facilitated ( RBI Circular Dated May 4, 2011  2011  RBI/2010 RBI/2010--11/511  11/511 DPSS.CO.No.2502  DPSS.CO.No.2502 /02.23.02/  /02.23.02/ 2010 2010--11)

02) The funds cannot be transferred without a MMID.And, a MMID is attached to a Bank Account. Hence the chance of fraud is low.

Thanks to Citi, for being the first bank to introduce a Solution around IMPS. Now, there is no stopping for IMPS.

The possibilities are endless. Which will the next Bank to tap IMPS innovatively?

Let me end today’s Post with a quote : -

"It's easy to come up with new ideas; the hard part is letting go of what worked for you two years ago, but will soon be out of date."

— Roger von Oech

Will the Indian Online channel security market too explode?

According to ABI Research, the US market will require 1.8 billion unit’s of  one-time-password generators, portable smart card readers, and USB tokens,  by 2016, for  increased security requirements for online transactions will create

As ePayments including Internet / Mobile banking are on increasing trend in India, there will be demand for  one-time-password generators, portable smart card readers, and USB tokens.

All the above, are part of the 2 Factor Authentication (2FA) cycle, which is becoming the norm for all all BFSI (Banking, Finance Services, Insurance) transactions.

So, I will explain in brief the overall view of the above 3 security products.

One-time-password generators, portable smart card readers, and USB tokens are hardware based solutions

What are one-time password generators?

A one-time password (OTP) is a password that is valid for only one login session or transaction. The session might last from 30 mts to 120mts depending on the tranmission mode of the OTP.

In contrast to static passwords, they are not vulnerable to replay attacks. This means that, if a potential intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he or she will not be able to abuse it since it will be no longer valid.

OTP’s cannot be memorised, as they are generated when required or are selected from a set of OTP’s on a paper .

OTP’s are primarily generated by time-synchronised or mathematical algorithms method.

Each method has its own plus and minus points.

OTP’s are delivered via

a) Text messaging.

b) Mobile Phones.

c) Proprietary tokens.

d) Web-based methods.

e) Paper

Yes, Paper, in some countries viz Germany and Austria, for  online banking, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. As and when an OTP’s is used, it gets expired. Another interesting use of a pre-calculated OTP Paper is the replacement of  the easy to guess security questions on websites.

In recent times, OTP’s have been part of the MITM (Man-in-the-Middle) attacks. Hence, IT Security are finding various ways to make strong OTP’s.

What are portable smart card readers?

Smart cards are being used worldwide to secure identities in many applications, such as bank payment cards, employee access badges, government identity cards and health care IDs.

The Smartcard require readers to read the information stored on the Smartcard and hence, portable smart card readers are being introduced by IT Security companies.

Cardholders can use the reader to pay more securely or to authenticate their network identities with banks, employers, government agencies, or healthcare providers.

The readers enable cardholders to use their smart cards anytime, anywhere with PCs, the Internet or other terminals. Depending on the Smart card and the reader model, some  allow physical access to buildings, too.

What are USB tokens?

As the name suggests, USB is a security token which may be a physical device that an authorized user of computer services is given to ease authentication  or a software token.

The function of  Security token is to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

There are four  types of tokens:

Static password.

Synchronous dynamic password

Asynchronous password

Challenge response

Security token is the “something you have”, used along with a PIN or password, the “something you know”.

The token can hold multiple types of credentials, including multiple certificates, key sets, finger-based biometric templates, user names and passwords and software token seed records. The main advantage of a USB token is that a smart card reader is not required.

The Indian consumers would be interested in the above 3 Security Products, to enhance their Internet/Mobile BFSI transactions.

A more detailed study on the pros and cons of each product, might help the BFSI companies to offer the safest possible product to their clients.