Bank delivers card readers to secure customers

Angus Kidman meets a bank that has decided to deliver card readers to individual users of its Internet banking services. The costly devices have improved security, although ROI is sketchy.

Deploying hardware solutions like card readers to minimise fraud with online transactions might seem a sensible step, but the odds are good that you won't be able to justify it purely in cost terms.

Two-factor authentication is now viewed as essential for high-visibility applications like online banking, and many Australian organisations have adopted solutions such as using SMS to send out one-time passwords. Hardware-based card readers are often cited as a more effective means of protecting customers, but many bank boards have balked at the costs involved.

Scandinavian bank Nordea has successfully deployed card readers to minimise the risk of an attack on its customers, but admits that this couldn't have been justified purely on the basis of cost reductions.

Speaking at a Gartner identity and access summit in London earlier this year, senior Nordea product manager Olov Brandt outlined the challenges involved in getting the solution up and running, and how Nordea effectively found itself forced to wear the cost of the roll-out.

As the result of a series of mergers and takeovers, Nordea's operations encompass 10 million customers across four countries (Sweden, Finland, Denmark and Norway). Around two-thirds of those customers use Internet banking.

Because of its corporate history, Nordea was already dealing with a variety of platforms. "There has been a mixture of old and new solutions," Brandt said. "In Sweden we have five or six different Internet banks for different customer sectors."

In Sweden, as a security solution, the bank had utilised printed one-time passwords on a plastic sheet distributed to customers. That had helped prevent simple attacks, but wasn't enough in the face of a concerted effort to scam customers.

"During summer 2007, we were simultaneously hit by trojan and phishing emails," Brant explained. The attacks were all aimed at the customers using the pre-printed one-time passwords.

"They started out really poorly written, so that was a help, but they kept on flooding out. It became a really big problem for us when people got 20 or 30 phishing mails a day."

Nordea had to quickly respond to the problem, issuing frequent customer advisories and adopting a high media profile. "We also offered the customers free virus protection. This was a pretty hard decision to make and it cost us a lot of money, but it was the best way to save some customers."

Nonetheless, the reputational damage was considerable. "As Sweden is a small country, this hit the media pretty heavily."

A long-term solution was needed to replace the pre-printed password scheme. "This was time-critical -- we were under attack and we had an urgent need for business as usual," Brandt said.

Nordea drew up a wish list, which included developing a single system for the entire bank network, making secure Internet payments possible, and minimising long-term maintenance costs.

"One thing we must do is involve the customer to a high level. We must make it simple to be secure, and we must have the customers understand that now this could be dangerous -- you could be losing your money."

Understandably, a key requirement was to prevent a repeat of the phishing frenzy. "It shouldn't be possible to make phishers happy with it -- we must make phishing virtually impossible," Brandt said.

Ultimately, Nordea decided to fund card readers for all its users. "We went for a card reader, not a token. We already had the cards in the customer's wallet, so we sent out a non-personalised card reader This is cheaper and quicker and easier to roll out." Because the readers weren't linked to individual accounts, they could be sent out more cheaply as they didn't need registered mail or enforced customer pickup. The card readers were rolled out over a 10-month period to avoid a major up-front expense.

Despite such cost-saving measures, Brandt concedes that the expense was higher than the likely amount lost through fraud.

"It was really much more expensive than the fraud. We could have lived with the fraud, but we couldn't live with the bad reputation that came about from the fraud. It was more a matter of trust than the fraud in itself."

Nor does it provide much marketing advantage. "I don't think the security solution per se gained customers, but we didn't lose any," Brandt said.

Despite that, Nordea is confident the investment will pay off long-term. "It will in the long run be worth it, Now we have a solution that stands for many years The cost for sending out security devices in the long run will be a bit cheaper and make a wider range of Internet transactions possible."

The card reader works in conjunction with an online challenge-response system. When logging in, customers are given a six-digit code to type into their reader. After logging into the reader with their pin, they enter the code, and are given a nine-digit response to type into the online banking system.

Brandt is confident that the system is resistant to most attacks. "It would not be easy to tamper with it because of how the firmware is stored. We have put in dialogues which cannot be altered afterwards."

Read more on Security policy and user awareness