For quite some time now, leading Indian banks have been trying to prevent phishing attacks using hardware- or software-based tokens, smart cards and mobiles. Such measures call for considerable investment, and often result in inconvenience when implemented for a huge customer base. Now imagine how pleased the banks would be, if their customers' identity could be protected by just a simple, transparent plastic sheet. To this end, Indian private-sector banking
|Intellect Privacy card for user authentication|
player IndusInd Bank now uses a transparent online and Internet banking security card to protect its customers from phishing threats.
IndusInd has deployed a user authentication solution called Intellect Privacy. It is based on four patents filed by the Indian Institute of Technology-Madras, and commercialized by Laser Soft Infosystems (a subsidiary of Polaris Software Labs).
Earlier, IndusInd used ordinary usernames, passwords and SSL for online banking transactions. However, it felt the need to protect its online customers from emerging security threats, as well as change customer perceptions about Internet banking. "We wanted to encourage more customers to use our online banking facilities by providing more secure systems. At the same time, we were determined that any new security measures should not compromise on the cost and convenience factors," says Ramesh Ganesan, the executive vice president and head of transaction banking at IndusInd Bank.
This was one of the reasons why IndusInd did not go in for a traditional two-factor user authentication solution (currently used by many leading banks). "Traditionally, banks have used USB tokens, smart cards or software tokens for second-factor user authentication. Unfortunately, these are costly solutions to adopt for mass banking requirements. Besides, we also wanted to eliminate usage of any sort of hardware, since many customers already carry a couple of mobiles and USB devices in their pockets," explains Ganesan. These compulsions guided the bank toward other alternatives.
Around this time, IndusInd came across Intellect Privacy, which uses multi-factor dynamic authentication to authorize online banking transactions. Intellect Privacy's offerings include the use of a transparent card for generation of a one time password (OTP), use of a local language-based virtual keyboard, and use of ATMs and mobiles for developing OTPs.
Intellect Privacy is a transparent polythene card (Clubbing three cards together will be equivalent to a credit card's thickness), which has a printed grid containing transparent, opaque and numbered cells. When a user logs into his online account with his access ID and password, a grid image of similar size appears on the screen. The user superimposes his transparent card against this image on the computer screen to generate an OTP. While superimposing, the two grids mask each other, revealing numbers which make the OTP. Thus, the customer can generate a unique OTP for every new transaction.
This technology is based on the principle of 'challenge response authentication,' a method for proving one's identity over an insecure medium without divulging information. Like other two-factor user authentication solutions available in the market, this technology also helps to establish a customer's identity—but without the use of any tokens.
"The main advantage of this card over normal static (debit or credit) card grids is that it allows the reuse of cells. With a normal static card, once a cell is revealed, it's revealed forever. In this case, the OTP is generated dynamically every time. A card of 10 rows and six columns can generate 117 unique transactions," says V P Kannan, the senior vice president of technology for Laser Soft Infosystems. The solution provides multiple options to deliver OTPs (such as through ATMs and mobile screens), as well as the use of local language virtual keyboards.
According to IndusInd, this technology will protect online banking customers from all kinds of phishing attacks including deceptive email, key (screen) loggers, brute force attacks, dictionary attacks and Trojans. The user authentication solution is also expected to protect online transactions from the man-in-the-middle kind of attacks.
IndusInd has launched the user authentication solution for its corporate clients, and will soon cover retail clients as well. The bank took almost four months for the entire process from decision-making to implementation, and went live with the solution in February 2010.
According to Ganesan, the biggest challenge has been to implement this unique user authentication solution for the first time. Although the technology did exist, making it usable and convenient proved to be quite a task. Today, Ganesan feels that it is an extremely cost-effective solution, and can be easily adopted for mass banking applications in India. "This user authentication solution is completely free from the involvement of hardware, software or service-providers, and costs just a few rupees per user. It is completely scalable, in terms of the number of transactions for which it can be used. Security can also be increased, in terms of the number of cells and grids that we can use. The ease of use, convenience and strong security will encourage our customers to increase their usage of our online banking facilities," says Ganesan.