How smart financial institutions develop versatile authentication
A highly connected world has spawned a diversity of security risks. The security stakes are high, if not the highest, for financial institutions (FIs).
A 2014 survey by recruitment firm Robert Half found that 60% of banks and financial services companies in Singapore are increasing their spending on IT security compared to last year. This is the highest percentage of any of the markets it surveyed and well above the global average of 50%.
The survey of 725 senior financial services leaders in Australia, Hong Kong, Japan, the UAE, the UK and Singapore also showed that IT security is now more likely to get increased funding than other banking functions, such as regulatory reform and compliance (57%), product development (54%) or digital initiatives (online banking, user experience – 51%).
The FIs’ prioritizing security spending also dovetails with monetary authorities around the region, especially in Hong Kong and Singapore, advocating guidelines on minimizing technological risks. These include reliable and effective techniques of authenticating online banking customers.
To begin with, customer authentication is stronger when it combines two or more of the following factors: what one knows, what one has, and what one is.
Guidelines typically require FIs, or authorized institutions, as they are known in Hong Kong, to evaluate the maturity of an authentication method and its resilience even when a system is compromised.
FIs should implement two-factor authentication at login for online financial systems and transaction signing for authorizing transactions.
They should also complement two- or multi-factor authentication with controls and processes such as sending confirmation to customers about online transfers to unregistered third parties; taking appropriate measures to minimize exposure to man-in-the-middle (MITM) attacks and other cyber attacks; and educating their customers on security measures that have been deployed.
Many FIs have begun introducing various levels of authentication depending on the transaction or enquiry, such as:
- Log in with just user ID and PIN to access basic account information like account balances
- Make low-risk enquiries, such as view transaction history, and conduct low-value fund transfers and bill payment, using a one-time password (OTP) delivered via the mobile phone or security device
- Conduct ‘high-risk’ transactions – such as add payees, update personal particulars, change transaction limits, or perform high-value transactions – using transaction signing
Transaction signing requires customers to digitally ‘sign’ and authorize an online transaction with an OTP generated by customer’s input of specific details like the account or reference number and transaction amount. These sensitive personal information are typically masked.
The process, along with two-factor authentication, further minimizes any potential risk.
Bank of China’s deployment
To cope with evolving challenges of online security, Bank of China (Hong Kong) Limited (BOCHK) needed reliable security measures with stronger authentication and transaction signing capacity to enhance security of its Internet banking services.
BOCHK achieved this with i-Sprint’s two-factor authentication (2FA) and Vasco’s DIGIPASS tools and VACMAN core authentication engine to verify a customer’s online identity and secure online transactions with data signing capabilities.
Meanwhile, i-Sprint’s AccessMatrix Universal Authentication Server (UAS) supports BOCHK’s 2FA security platform with end-to-end token management. The AccessMatrix identity, credential, and access management solutions provide authentication, end-to-end encryption, as well as authorization that complies with regulatory requirements for secure Internet banking.
“With the 2FA security platform, we are planning to extend protection to other banking delivery channels such as mobile banking and phone banking,” said Cheung Wai Ki, head of Direct Banking (deputy general manager) of BOCHK. “In addition, we will explore new and innovative ways to better serve our customers.”
“With our proven experience with other financial institutions globally, we were able to assist BOCHK to implement the ‘bank-grade’ strong authentication solution in less than three months,” said Albert Ching, CEO of i-Sprint.
The VACMAN authentication platform drives the DIGIPASS authentication tools, handling login requests and providing authenticated users access to protected applications and networks. The platform also protects customers’ online transactions from MITM attacks by validating e-signatures.
Future proofing and end-to-end encryption
As technologies evolve, FIs must be able to rapidly deploy the appropriate authentication methods that meet their requirements.
i-Sprint’s AccessMatrix UAS supports a wide range of authentication methods using a Pluggable Authentication Module (PAM) approach and new ones can be added to cater for evolving authentication mechanisms. Two or more authentication methods can be chained for strong authentication and authorization requirements.
While FIs can leverage ready PAMs and native integration with existing LDAP, AD and JDBC directories, they can also use the PAM framework to add new authentication methods. Further, out-of-the-box end-to-end token and biometrics life cycle management modules greatly streamline administration and reduce time-to-market.
But even as FIs consider implementing multi-factor authentication, it is critical that static passwords be adequately protected.
The AccessMatrix UAS provides end-to-end encryption of the static password from the point of input into the browser to the point of decryption and comparison inside a tamper-resistant hardware security module. This not only prevents MITM attacks but also addresses vulnerabilities such as the Heartbleed bug.
This is a QuestexAsia feature commissioned by i-Sprint Innovations.