ArrayShield Card - One more weapon from India for Online Security

Today morning while reading 'The Hindu' @ Safe, read about ArrayShield product, Arrayshield Card.

More about this card can be read at the company's website How it works?

In the last couple of months, my focus has been on solutions for safe online banking technologies.

ArrayShield Card has made a beginning in the new direction for 2FA (2 Factor Authentication).

The ArrayShield Card does not rely on Mobiles or RSA tokens, but on a proprietary ArrayShield translucent Card.

The Process in brief is as under :

1. Users choose a memorable pattern (sequence of cells on the array) as their secret and register the same.
2. The User on logging into a ArrayShield enabled protected site, have to overlap the Arraycard, which will display the specific values.
3. The specific values are an OTP (One-time password) which have to be entered on the login page.
4. Every time they log on, they are presented with a challenge Array of random characters, which will be displayed on their computer screen.

ArrayShield Card has been launched very recently and as the usage spreads by word of mouth, more and more websites would be interested in it.

As more and more products are introduced for Safe eBanking, the number of converts from physical banking to eBanking will increase, benefiting the Banks as well as the bank's customers.

Will the Indian Online channel security market too explode?

According to ABI Research, the US market will require 1.8 billion unit’s of  one-time-password generators, portable smart card readers, and USB tokens,  by 2016, for  increased security requirements for online transactions will create

As ePayments including Internet / Mobile banking are on increasing trend in India, there will be demand for  one-time-password generators, portable smart card readers, and USB tokens.

All the above, are part of the 2 Factor Authentication (2FA) cycle, which is becoming the norm for all all BFSI (Banking, Finance Services, Insurance) transactions.

So, I will explain in brief the overall view of the above 3 security products.

One-time-password generators, portable smart card readers, and USB tokens are hardware based solutions

What are one-time password generators?

A one-time password (OTP) is a password that is valid for only one login session or transaction. The session might last from 30 mts to 120mts depending on the tranmission mode of the OTP.

In contrast to static passwords, they are not vulnerable to replay attacks. This means that, if a potential intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he or she will not be able to abuse it since it will be no longer valid.

OTP’s cannot be memorised, as they are generated when required or are selected from a set of OTP’s on a paper .

OTP’s are primarily generated by time-synchronised or mathematical algorithms method.

Each method has its own plus and minus points.

OTP’s are delivered via

a) Text messaging.

b) Mobile Phones.

c) Proprietary tokens.

d) Web-based methods.

e) Paper

Yes, Paper, in some countries viz Germany and Austria, for  online banking, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. As and when an OTP’s is used, it gets expired. Another interesting use of a pre-calculated OTP Paper is the replacement of  the easy to guess security questions on websites.

In recent times, OTP’s have been part of the MITM (Man-in-the-Middle) attacks. Hence, IT Security are finding various ways to make strong OTP’s.

What are portable smart card readers?

Smart cards are being used worldwide to secure identities in many applications, such as bank payment cards, employee access badges, government identity cards and health care IDs.

The Smartcard require readers to read the information stored on the Smartcard and hence, portable smart card readers are being introduced by IT Security companies.

Cardholders can use the reader to pay more securely or to authenticate their network identities with banks, employers, government agencies, or healthcare providers.

The readers enable cardholders to use their smart cards anytime, anywhere with PCs, the Internet or other terminals. Depending on the Smart card and the reader model, some  allow physical access to buildings, too.

What are USB tokens?

As the name suggests, USB is a security token which may be a physical device that an authorized user of computer services is given to ease authentication  or a software token.

The function of  Security token is to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

There are four  types of tokens:

Static password.

Synchronous dynamic password

Asynchronous password

Challenge response

Security token is the “something you have”, used along with a PIN or password, the “something you know”.

The token can hold multiple types of credentials, including multiple certificates, key sets, finger-based biometric templates, user names and passwords and software token seed records. The main advantage of a USB token is that a smart card reader is not required.

The Indian consumers would be interested in the above 3 Security Products, to enhance their Internet/Mobile BFSI transactions.

A more detailed study on the pros and cons of each product, might help the BFSI companies to offer the safest possible product to their clients.