Following the recent growth in Internet banking, online security has become a top priority for Indian banks—private and public. In keeping with this trend, leading Indian public sector bank Corporation Bank recently tightened online security for its corporate customers with a digital signature implementation that uses public key infrastructure (PKI)-based authentication mechanisms.
Corporation Bank started 104 years ago in 1906 with an initial capital of Rs 5,000. Today the bank has around 3,500 branches across India. Following a spurt in cybercrime incidents in the banking space, the bank began to feel the need to enhance its existing online banking authentication mechanisms.
Authentication can be proved with three factors: what you know, what you have, and what you are. It is accepted worldwide that any two out of these three factors can offer strong security. However, Corporation Bank used only one factor of authentication—what you know—for its corporate customers’ Internet banking facilities. S Kumar, the assistant general manager of IT at Corporation Bank says that in the bank’s authentication process, the customer had to log in with the username and password. He was asked for one more authentication password (registered with the bank) in case of financial transactions such as fund transfers.
The need to move beyond such rudimentary authentication was reinforced with the arrival of a directive from The Reserve Bank of India (RBI). “The RBI made it mandatory for banks to offer two-factor authentication for Internet banking. To fall in line with this mandate, we decided to opt for a second factor of authentication,” explains Kumar.
While there are a number of authentication methods (like one-time passwords, virtual keyboards, dual passwords using tokens and biometrics) available in the market, Corporation Bank preferred to go in for PKI-based authentication which uses a digital signature certificate. “Digital signature implementations provide legal sanctity to the transaction besides providing additional security. Such an implementation of digital signatures is in line with both the Information Technology Act 2000 as well as the recommendations of the RBI in its Internet banking guidelines,” says B R Bhat, the general manager at Corporation Bank.
Corporation Bank evaluated seven vendors for its digital signature implementation. These included Bluestar, Odyssey and 3i Infotech Consumer Services. After thorough evaluation, the bank decided to go in for the e-Mudhra PKI solution from 3i Infotech. Bhat explains that the bank’s selection criteria included the vendor’s credibility (it should have been approved by a statutory authority such as CCA), solution’s robustness, and its cost effectiveness. e-Mudhra is also a licensed certifying authority in India, one of the prime reasons for the selection of this vendor, informs Kumar.
The bank has decided to initially offer digital signature-based authentication to its corporate customers. Once these customers go through a registration process with e-Mudhra, they will be issued with a digital certificate (as a hardware token). These tokens will contain the customers’ private keys, while their pairs (public keys) will be available with the bank. The bank had to deploy an e-Mudhra authentication server (EMA) for this digital signature implementation. EMA is used to store the customers’ public keys.
Whenever a customer performs financial transactions, he has to prove his credentials using his private key (containing the digital certificate). This request goes to the EMA server which uses the customer’s public key to verify his authenticity. In addition, the process takes care of other security objectives such as confidentiality, integrity and non-repudiation in online transactions. The EMA server also verifies the core certificate (the authority from which the customer has got the digital certificate). The digital signature implementation does not require any sort of key management from the bank’s end.
Corporation Bank’s digital signature implementation project started in December 2009. Testing and integration took around six months, and the bank expects full-fledged operation of its digital signature implementation by the end of August 2010.
Kumar feels that although digital signature implementations provide strong authentication, the banking industry will find it a challenge to make them available to all Internet banking customers (including retail banking customers). One of the reasons for the challenge is the cost of obtaining a digital certificate. Whoever wants to have this additional layer of security—whether corporate or retail customer—will have to pay for obtaining the digital certificate. Bhat feels that the cost of a digital certificate is almost equivalent to that of any other two-factor authentication mechanisms in vogue today.