Case Study

Bank of India’s 2FA with mutual authentication goes beyond OTPs

Sameer Ratolikar, the CISO at Bank of India still vividly remembers 2008-‘09’s tough days when the bank’s customers were victimized by cyber frauds. With its strong online banking drive, the need of the hour was a robust two-factor authentication (2FA) solution, says Ratolikar. Reprieve came to Bank of India in the form of virtual private secure internet (VPSI) technology based on mutual authentication, a move which has seen over-whelming success with the bank’s customers.

http://cdn.ttgtmedia.com/rms/security/Sameer.Ratolikar_TN.jpg

Sameer Ratolikar - CISO, Bank of India

In its journey sans consultants, Bank of India’s first move was to evaluate solutions from various vendors. According to Ratolikar, almost all 2FA solutions were considered (including hardware-based tokens and risk-based authentication). Based on third-party research, the consensus was to go beyond one-time password (OTP) based tokens, which could not prevent threats like pharming, man-in-the-middle (MITM), man-in-the-browser (MITB) or Web 2.0 attacks.

Bank of India went with Uniken’s 2FA solution with mutual authentication as its cornerstone. VPSI technology leverages two parties’ mutual authentication of each other before exchange of information. The last factor in the favor of this solution was cost effectiveness. The software-based solution does not require issue of hardware tokens, resulting in savings.

Getting the ball rolling

The project started in January 2010 with a six month rollout, informs Ratolikar. Based on proprietary ‘Rel-ID’ protocol, Uniken’s VPSI mutual authentication technology is used by Bank of India under the ’Startoken’ brand (after Bank of India’s Star emblem). It integrates into Bank of India’s Internet banking process framework — the user is enrolled, activated and supported from Bank of India’s Internet Banking division.

Infrastructure considerations required Bank of India to acquire servers recommended by Uniken. The basic requirements included tunneling, applications and database servers for the mutual authentication system — at the datacenter end and replicated at Bank of India’s DR site. HP implemented the mutual authentication solution and handles the front-end process as the system integrator. The bank’s 2FA implementation has an L1, L2 and L3 support arrangement from HP and Uniken.

Under the hood

 

The Rel-ID mutual authentication protocol establishes identity using the following parameters:

a) Two-way identification of each endpoint

b) The software being used

c) The client device being used

These three parameters are tied, with a relationship created between them. This unique device signature is controlled on the server-side, minimizing the client-side risk. The user can add more than one device fingerprint by answering a secure question challenge (generated on the token’s first use) and an OTP PIN delivered over SMS.

The mutual authentication package relies on patches automatically pushed from the server component whenever a client activates. Bank of India’s 2FA implementation does not communicate directly with its core-banking system, and depends on API layers to connect to the Internet banking database.

 

—The early days

The mutual authentication solution was rolled out in stages with a sample set of 25 internal customers (Bank of India employees) as the first candidates. After preliminary trials, the initial sample was raised to 500 bank employees across India. 

Feedback from this exercise enabled addressing usability issues, making the mutual authentication solution more user-friendly without diluting security. The first batch of 10,000 customer tokens was generated in October 2010. After finalization of product design, Bank of India was enrolling close to 1000 customers a day.

—Enrollment

The enrollment process is straight forward says Ratolikar, beginning with the delivery of the ‘Startoken’ PIN mailer to the user. This is used to download the mutual authentication software package, which is linked to the user’s token PIN. The token software package is a Windows OS only portable package that does not require administrator privileges or installation. The download is less than 1 MB in size.

The package contains a secure-shell desktop with built-in mutual authentication mechanism and a proprietary stand-alone, browser helper object (BHO)-free hardened browser used by customers to access Bank of India’s Internet banking service. The secure-shell is a sandbox that locks out Trojans, keyloggers and other malicious software. The enrollment process’ final part involves fingerprinting of the user’s machine and acquiring the bank server’s finger-print to facilitate mutual authentication.

Given this was possibly the biggest roll-out of the nascent mutual authentication technology, snags were inevitable. The development team had to deal with basic logistical problems right from PIN mailers not reaching users, to the VPSI client failing to download or open on a user’s machine. Ratolikar says that while the team had tried to iron out all the kinks in the testing phase, these were expected issues. Rather than put the roll-out on hold, Bank of India chose to document issues and mitigate them on the fly.

Dividends and the way forward

Before implementation of the mutual authentication-based 2FA technology, Bank of India had lost lakhs to cyber fraud. According to Ratolikar, the real return on investment is the zero incident statistic that has been maintained, two years on. The token cost is extremely low, being a miniscule percentage of the transaction cost. The mutual authentication implementation has paid dividends in terms of customer acquisition, customer satisfaction, preventing loss of reputation and boosting Bank of India’s brand image.

The implementation presently has an active user base of 1.5 lakh (1,50,000) customers, which Ratolikar intends to extend to 3 lakh (3,00,000) customers in the next six months. The project presently enrolls close to 10,000 customers every month. This figure may go up to 25,000 users, with Bank of India planning to bring its entire Internet banking clientele under aegis of the ‘Startoken’ mutual authentication-based 2FA.

The initial rollout cost for 3 lakh customers is pegged at Rs 3 crore (Rs 30 million). Ratolikar expects additional expenditure once more customers are brought onboard. At present, this mutual authentication-based 2FA service available for free to all of Bank of India’s corporate and retail customers in India and abroad. A client for mobile devices may also be in the works.

Please send your feed back to vharan at techtarget dot com.


This was first published in March 2012