Two-factor authentication: Next step to secure online transactions?

A look at how Indian banks are dealing with RBI's directive to implement two-factor authentication for securing online "card not present" transactions.

By Jasmine Desai, Principal Correspondent,

Online credit card transactions have always been a pain point for the Indian banking industry due to the large number of fraud incidents. The inherent security vulnerabilities associated with traditional "card not present" transactions have been exploited using various methods such as phishing attacks. Thus, in the backdrop of escalating phishing and social engineering attacks, the Reserve Bank of India (RBI) issued a directive to Indian banks on deploying two-factor authentication (2FA) as a security measure for online credit card transactions, with the deadline of Aug. 1, 2009.

As part of this directive, RBI issued detailed instructions to banks in February 2006 to help prevent phishing attacks. This was supplemented by an RBI notification on Feb. 18, 2009, that mandated banks put in place "a system of providing for additional authentication/validation based on information not visible on the cards for all online card-not-present transactions except IVR transactions" by Aug. 1.

The RBI directive is among the first steps to provide better security for online transactions, since this space has not yet been defined by stringent laws in India. Therefore, the directive's implementation will go a long way toward regulating online transaction security in Indian banking.

Two-Factor Authentication basics
Two-factor authentication basically refers to the process of supplementing an existing security measure with another add-on security measure. The most common way of implementing this is to use a customer-generated passphrase stored in the bank's system along with a predefined PIN or password. This password or PIN could also be randomly generated for each session using a security token or a mobile phone.

Plethora of solutions

Several Indian banks issue Visa and MasterCard credit cards, so 3-D Secure protocol-based two-factor authentication solutions are quite popular at the moment. Visa credit cards rely on the Verified by Visa (VBV) service, whereas MasterCard credit cards rely on the MasterCard SecureCode service.

Both VBV and MasterCard SecureCode services use the XML-based 3-D Secure protocol for two-factor authentication. "3-D Secure is the payment industry's Internet authentication standard. It covers three domains: Acquirer Domain (the merchant and the bank to which money is being paid), the Issuer Domain (the bank which issued the card being used) and finally the Interoperability Domain (the infrastructure provided by the credit card scheme to support the 3-D Secure protocol)," says Amuleek Bijral, the country manager for RSA Security.

Apart from 3-D Secure, the other two-factor authentication solutions available for banks use token-based or mobile phone-based methods. Some of the major vendors catering to this area include RSA, Vasco Data Security International Inc. and Aladdin Knowledge Systems Ltd. In token-based methods, one-time passwords are generated by the tokens, which are applicable for only a short, predefined time frame.

According to a spokesperson from Vasco, two-factor authentication can be host authentication or mutual authentication in nature. For example, corporate banking uses a token with a PIN pad, where the authenticator can be PIN-protected. The authenticator will generate a one-time password only if the correct PIN is entered. It could also be used to electronically sign a transaction. This approach is claimed to protect the user from sophisticated attacks like "man in the middle" or "man in the browser" attacks. Such solutions are used by Citibank and Standard Chartered Bank in India.

Another approach for implementing two-factor authentication uses the cell phone, with an application similar to the PIN-pad device. In this solution, the cell phone is used as an authenticator, thus providing two-factor authentication instead of using a separate device. HSBC has integrated this software token authentication solution for its mobile banking application.

Taking the call

Ravikiran S Mankikar, the general manager of IT for The Shamrao Vithal Cooperative Bank Ltd., says increasing complexity directly equates to a more costlier implementation. "Banks going for two-factor authentication should first map their business needs and requirements with the security budget. Accordingly, the decision should be taken on the authentication mechanisms," Mankikar says.

Other factors to be taken into account on the two-factor authentication front are the number of customers and technology acceptance among the bank's credit card users. "The decision has to factor in bank's customers' levels of technological acceptance and its volume of customers," says Sanjay Sharma, the managing director and CEO of IDBI Intech.

Tokens are cost-effective only when there is a large customer base. As Mankikar says, "If a bank is going for token-based authentication, it should have a significant customer base. The applications will also have to support that kind of integration within the UI, since you will be integrating the software required for two-factor authentication along with the application."

According to Sharma, more than the implementation aspect, the main challenge will be getting customers to comfortably adopt two-factor authentication. "Other challenges involve bank customers with small-value transactions. Since these customers are not on the bank's high-value chain, their appetite for high-end services will also be very less. So some sort of leeway has to be provided there," Sharma says.

The 2FA status check

At present, Indian banks are reluctant to explore two-factor authentication solutions beyond 3-D Secure, since most banks issue Visa and MasterCard credit and debit cards. Despite this adoption, most banking CIOs remain extremely skeptical about the difference made by this deployment. As a result, several CIOs of Indian private banks have yet to get past the evaluation phase of these solutions.

It's beyond doubt that two-factor authentication deployment will happen in fiscal year 2009-10 at most Indian banks due to RBI's directive. However, it still remains to be seen as to how much of a difference it will make to the overall online transaction security scenario.

Read more on Web application security