Comment: Authentication’s what you need

17 Nov 2004

With so many potential pitfalls you could be forgiven for thinking that the internet is a minefield, best not visited at all. To the terminally wary, the security shortcomings don’t bear thinking about – the possibility exists that you could have your movements spied on, your PC infected, your bank details stolen, all without leaving your own home. These worries are amplified at the thought of banking online.

Much of this is a perception issue, not helped by recent phishing scams that try to trick users into revealing their bank details. The collateral damage is that confidence in online banking is eroded unnecessarily. But a new weapon to battle this perception is at hand: not much bigger than a USB storage device or pocket calculator, it could be the key to opening up e-commerce and online banking to a wider and previously fearful audience.

Vasco, a Belgian company, is making inroads throughout Europe and beyond with its product, which is a combination of server software running on a bank’s systems and a small piece of plastic held by each user, capable of generating a numerical password dynamically that allows the user to go online safely and securely.

It’s based on the premise of ‘something you have and something you know’, which is known in the security business as two-factor authentication. The token – what you physically have – generates the one-time password. Allied to the PIN – that each user must know by memory – the process is basically a moving target, difficult to pin down and trace. The token is a simple device, often smaller than a calculator and weighing no more than a couple of grams. Each token, or digipass in Vasco parlance, has a unique profile and the bank’s server knows this profile.

Most importantly, the system is easy to use. The reassurance is soon evident from the readily apparent security features. It gets around having to use the same PC every time – because the password is generated on the fly, it’s possible to use any computer to access the site. Even if the token is lost, it will be totally ineffective without the PIN code to activate it. If the machine you are using is infected with spyware or a keystroke logger, knowing the password will count for nothing because it differs for every single transaction – and can’t be used without the PIN.

“Banks see the security tool as a way of showing their customers that online transactions do not jeopardise the security of their money or endanger the viability of the internet as a business channel,” noted Jochem Binst, director of corporate communications with Vasco.

Phishing attacks, to pick a common and recent example, use a combination of fake emails and fraudulent websites to fool recipients into revealing personal financial data such as credit card numbers, account usernames and passwords. Vasco’s system allows the user to check a site is bona fide before entering any confidential banking details, for example. Binst explains: “You as a user generate a challenge and then the bank has to come up with a response. If it is identical, then you know you’re entering the right website and that it’s not a decoy.”

The token system also has applications within the banking sector and is already being used by two Irish companies, in addition to many others around Europe and beyond. ACC Bank uses it in its corporate offering for giving enterprises access to their accounts. Prudential uses it for its network of brokers. Further afield, Rabobank in Holland has more than two million token products in use. This may be just a coincidence, but according to Binst, Rabobank also happens to be the most popular internet bank in Europe.

Binst points out that the usage models needn’t be restricted to banking. Vasco has customers in the healthcare and car manufacturing markets. He confirms that the company is also interested in the growing e-government market, which is a natural fit with the moves to make interaction between the citizen and the State take place online. Take a look at the picture – you might just be seeing more of these kinds of devices in the future.

By Gordon Smith