By Philip Hoyer, technical architect, ActivIdentity EMEA
It may already be a cliché, but the credit crunch is forcing all types of businesses to review their costs and look at how they can reduce overheads. For financial institutions with millions of customers, one of the most obvious solutions is to encourage those customers towards using low-cost channels, such as the internet, to manage their accounts rather than going to branches or through call centres which have to be staffed.
But the internet brings significant security risks, and banks must be able to guarantee that a customer is who they say they are in the face of increasingly sophisticated fraud attempts by cyber-criminals who have developed new ways of accessing sensitive information with alarming speed. Clearly, banks must deploy much more than password-based systems in order to encourage more customers to use online facilities and to protect existing internet customers from fraud.
Both Barclays and Natwest have recently announced that they are issuing card readers to customers, indicating the start of a trend towards using strong authentication for all customers, not just businesses or high net worth individuals.
The problem comes with integrating these new technologies into an existing infrastructure. Most banks are already managing a legacy that is comprised of various point solutions that are used to help customers access their accounts via different channels using different technologies. One customer might require a password to use the telephone banking service, and a memorable question for resets or emergency access; another might use a token based on proprietary or OATH technology to access online banking. Similarly, the same institution may, in the future, want to introduce PKI or biometric data to further improve the security of transactions.
Traditionally banks and other financial services firms have built up a collection of point security solutions that are difficult to manage and incredibly costly to maintain. Firms are beginning to realise that there is a need to consolidate varying authentication systems into one single infrastructure that can support different types of credentials, from cards to tokens and interactive voice response technology. Gartner has coined the term “versatile authentication” to describe a platform used to manage all credentials.
A good versatile authentication platform will be based on open standards, so that it can be used as a system “backbone” to manage multiple authentication systems from different providers to maximise investment in pre-existing authentication technologies. This will also enable new authentication methods that may be required in future. This reduces operational and infrastructure costs, and will ultimately reduce the total cost of ownership.
The benefits of versatile authentication are numerous, despite concerns over the impact of introducing new technologies on the user experience. Customers are more likely to put their trust in online financial transactions if they perceive them to be more secure, which will bolster the adoption of low-cost service channels. They will also benefit from a consistent authentication experience across all channels – using their EMV card to access their account via the internet, call centre or branch.
In turn, the bank will benefit from the highest possible levels of security and flexibility, combined with lower costs and the ability to upgrade authentication levels to meet market needs.
The concept of versatile authentication also fits neatly with the trend towards a service oriented architecture which will improve the user experience in the long run. If a customer loses their EMV card, one single command within a versatile authentication platform should be able to disable the device – regardless of what technology it is based upon and the channel through which the customer reported the card missing – thereby cutting down the amount of time spent by staff to resolve the problem.
It’s the next logical step for financial services organisations that want to be ahead of the game, and should demonstrate a fast return on investment in the face of impending recession.
ActivIdentity EMEA is exhibiting at Infosecurity Europe 2009, Europe’s number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security.
www.infosec.co.uk
Source: Infosecurity PR
<>