 |
|
|
| Information Security News: |
|
|
|
|
|
|
|
|
Two factor authentication thwarts identity theft at Bank of India |
 |
By Dhwani Pandya, Principal Correspondent
19 Jan 2010 | SearchSecurity.in |
|
|
Phishing
and pharming activity driven online identity thefts have become a
major information security concern for Indian banks. Bank of India, a
leading public sector bank in India, has also faced its own share of
phishing attacks in the past, causing financial losses for its
customers. Compounding to these threats are emerging crimeware threats
like man-in-the
middle and man-in-the browser attacks. "Protecting the customer's
identity while he is on the Internet banking channel was our primary
concern," says Sameer Ratolikar, the chief information security officer
for Bank of India. Such identity thefts not only cause financial losses
to customers, but also directly impact bank's reputation and business,
explains Ratolikar. These were some of the main concerns which drove
Bank of India to adopt two factor authentication to protect its online
banking customers. According to Ratolikar, Bank of India is the first
public sector bank in India to adopt two factor authentication for
online banking.
Bank of India serves around 30 million (3 crore) customers, out of
which 3,00,000 customers prefer Internet Banking. The bank had to
protect these 3,00,000 customers from online identity thefts. Earlier,
the bank only used username and passwords to authenticate customer
identity. It became essential to add another authentication level, to
which two factor authentication provided the right answer.
In 2008, Bank of India started searching for a two
factor authentication solution. Depth of coverage for attack
vectors, easy usability, and convenience were among the main selection
criteria. As part of the process, Bank of India evaluated several
solutions and shortlisted three vendors. Out of these, HP-Uniken's solution
was selected since it was the lowest bid, informs Ratolikar. This is
HP's customized two factor authentication solution for Bank of India,
which uses USB-based hardware and software tokens. The front end of the solution is provided by HP, while back end is provided by Uniken systems. Software
tokens are allotted to retail customers, while corporate customers
are provided with USB-based hardware tokens. "As corporate customers'
transactions involve very high amounts, we wanted to give them more
security. Security provided by the hardware device is much higher than
software residing on the PC," explains Ratolikar. Out of Bank of
India's 3,00,000 online customers, around 2,25,000 are retail
customers, whereas 75,000 are corporate customers.
Retail customers are required to install software tokens on their PCs,
so that their PC itself becomes the second factor of authentication. In
case of corporate customers, USB is the second factor of
authentication. In order to activate this new user identity, the bank
sends the customer an activation key and verification codes through
mailers. When a first time user logs into his account, he has to enter
his username and password, as well as set up a personal identification
number (PIN) which is required thereafter for every transaction. Bank
of India has also factored the possibility of PINs getting captured by
a hacker. "We developed our solution in such a way that a complete PIN
is never transmitted over the network. Even as the first half of the
PIN resides with the customer PC, the PIN's second half is on our
server. They have to be assembled together, in order for the
transaction to happen," says Ratolikar. For further protection, the
customer has to type the PIN using a secure desktop (a virtual keyboard
displayed on the login screen), so that there are no chances of the PIN
getting stolen by keyloggers.
When a Bank of India customer wants to perform online transactions from
another PC, he has to download the software via a link available on the
bank's website. However, it may not be possible for a customer to
download software in certain secure environments. In such cases, the
bank will provide an out of band authentication option on the
customer's registered cell phone number. The customer will get a
onetime password on their cell phone for online transactions.
Most banks secure their Internet banking log-ins using SSL, which is
primarily an encryption protocol and provides one way authentication.
Recently, there have been attacks where
hackers have exploited SSL vulnerabilities. Considering these
aspects and other emerging exploits like man in the browser and man in
the middle attacks, Bank of India decided to use the Diffie-Hellman
Algorithm for additional protection. This algorithm runs on top of
SSL. So even if a hacker manages to breach SSL, he won't be able to
access the transaction since these details are on different channel.
According to Ratolikar, mutual
authentication
(using REL-ID protocol) and end to end encryption are the two most
important features of this solution. The entire channel — right from
the customer's desktop to bank's server — is encrypted. The username,
password and PIN number are also sent using the encrypted channel.
Bank of India has already rolled out the two factor authentication
solution to 200 of its customers (consisting of retail and corporate
entities). As part of the next phase, the bank plans to cover 1,00,000
customers by April 2010. The remaining customer base will be covered in
a phase-wise manner. Bank of India has obtained a license which allows
it to use the product for up to five years.
According to Ratolikar, timely rollout and acceptance by all customer
age groups were the main deployment challenges. Based on customer
feedback, the bank has developed a simple user manual as well as a
flash presentation for all age requirements. The internal IT team has
also been trained for activities such as token management, expiry and
replacement. "Although security can never be 100%, we feel that this
solution will help us to curb identity theft related attacks to a great
extent," concludes Ratolikar.
|
|
Tags:
Identity management, authentication and access control solutions,
Viruses, worms, spyware, and other malware,
Enterprise risk management strategies,
Hacking countermeasures,
Business compliance management,
Risk Management Strategies, VIEW ALL TAGS
|
|
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
