and pharming activity driven online identity thefts have become a major information security concern for Indian banks. Bank of India, a leading public sector bank in India, has also faced its own share of phishing attacks in the past, causing financial losses for its customers. Compounding to these threats are emerging crimeware threats like man-in-the middle and man-in-the browser attacks. "Protecting the customer's identity while he is on the Internet banking channel was our primary concern," says Sameer Ratolikar, the chief information security officer for Bank of India. Such identity thefts not only cause financial losses to customers, but also directly impact bank's reputation and business, explains Ratolikar. These were some of the main concerns which drove Bank of India to adopt two factor authentication to protect its online banking customers. According to Ratolikar, Bank of India is the first public sector bank in India to adopt two factor authentication for online banking.
Bank of India serves around 30 million (3 crore) customers, out of which 3,00,000 customers prefer Internet Banking. The bank had to protect these 3,00,000 customers from online identity thefts. Earlier, the bank only used username and passwords to authenticate customer identity. It became essential to add another authentication level, to which two factor authentication provided the right answer.
In 2008, Bank of India started searching for a two factor authentication solution. Depth of coverage for attack vectors, easy usability, and convenience were among the main selection criteria. As part of the process, Bank of India evaluated several solutions and shortlisted three vendors. Out of these, HP-Uniken's solution was selected since it was the lowest bid, informs Ratolikar. This is HP's customized two factor authentication solution for Bank of India, which uses USB-based hardware and software tokens. The front end of the solution is provided by HP, while back end is provided by Uniken systems. Software tokens are allotted to retail customers, while corporate customers are provided with USB-based hardware tokens. "As corporate customers' transactions involve very high amounts, we wanted to give them more security. Security provided by the hardware device is much higher than software residing on the PC," explains Ratolikar. Out of Bank of India's 3,00,000 online customers, around 2,25,000 are retail customers, whereas 75,000 are corporate customers.
Retail customers are required to install software tokens on their PCs, so that their PC itself becomes the second factor of authentication. In case of corporate customers, USB is the second factor of authentication. In order to activate this new user identity, the bank sends the customer an activation key and verification codes through mailers. When a first time user logs into his account, he has to enter his username and password, as well as set up a personal identification number (PIN) which is required thereafter for every transaction. Bank of India has also factored the possibility of PINs getting captured by a hacker. "We developed our solution in such a way that a complete PIN is never transmitted over the network. Even as the first half of the PIN resides with the customer PC, the PIN's second half is on our server. They have to be assembled together, in order for the transaction to happen," says Ratolikar. For further protection, the customer has to type the PIN using a secure desktop (a virtual keyboard displayed on the login screen), so that there are no chances of the PIN getting stolen by keyloggers.
When a Bank of India customer wants to perform online transactions from another PC, he has to download the software via a link available on the bank's website. However, it may not be possible for a customer to download software in certain secure environments. In such cases, the bank will provide an out of band authentication option on the customer's registered cell phone number. The customer will get a onetime password on their cell phone for online transactions.
Most banks secure their Internet banking log-ins using SSL, which is primarily an encryption protocol and provides one way authentication. Recently, there have been attacks where hackers have exploited SSL vulnerabilities. Considering these aspects and other emerging exploits like man in the browser and man in the middle attacks, Bank of India decided to use the Diffie-Hellman Algorithm for additional protection. This algorithm runs on top of SSL. So even if a hacker manages to breach SSL, he won't be able to access the transaction since these details are on different channel. According to Ratolikar, mutual authentication (using REL-ID protocol) and end to end encryption are the two most important features of this solution. The entire channel — right from the customer's desktop to bank's server — is encrypted. The username, password and PIN number are also sent using the encrypted channel.
Bank of India has already rolled out the two factor authentication solution to 200 of its customers (consisting of retail and corporate entities). As part of the next phase, the bank plans to cover 1,00,000 customers by April 2010. The remaining customer base will be covered in a phase-wise manner. Bank of India has obtained a license which allows it to use the product for up to five years.
According to Ratolikar, timely rollout and acceptance by all customer age groups were the main deployment challenges. Based on customer feedback, the bank has developed a simple user manual as well as a flash presentation for all age requirements. The internal IT team has also been trained for activities such as token management, expiry and replacement. "Although security can never be 100%, we feel that this solution will help us to curb identity theft related attacks to a great extent," concludes Ratolikar.