- Category: September - October 2009
Online banking is popular in order to pay for instance comfortably your bills from home or to manage custody accounts. But floods of phishing e-mails and increasingly sophisticated viruses that manipulate the user’s computer alienate. Banks are therefore looking for strategies that protect their customers against fraudulent machinations and fight the uncertainty. One promising strategy for more security is the timely dispatch of one time -TANs (Transaction Authentication Numbers) as an alternative way that guards Internet transactions better than previous TAN methods.
Everything seemed safe with the identification procedure the banks developed for the processing of orders via online banking: The bank customer confirms his identity by entering a personal identification number (PIN) and uses for the authorization individual transactions transaction numbers (TAN), which he receives block by block in print form from the bank. Each TAN can be used only once and then forfeits. Well, everything seems to be thought out and quite sufficient.
Phishing, Pharming, Trojans
But then came the fraudsters, whose No.1 manipulation strategy is based on the combination of "human beings and TAN list on the desk." Everyone is familiar with the flood of phishing e-mails, used for prompting bank customers to reveal their identification and transaction numbers.
The second strategy is based on the level of technology. Criminals infect the computers of their victims with malicious programs such as Trojans, and spy out PIN and TAN on the hard drive. Others deploy pharming software which redirects customers for the management of booking orders to a faked website. Even up-to-date virus- and firewall protection can’t always help in these cases.
Don’t be tempted to leave the TAN list on the desk or forget it is there. The solution here could be a transactional or only once usable-TAN, requested for the upcoming transactions only and used immediately as it expires for security reasons after a short while - available as so-called iTANs. With this procedure, which is already used by many banks, the customer still has the list on the desk, but indexed so that TANs are numbered serially. Also, instead of getting a chance to choose the TAN, a random generator determines which TAN has to be used for the currently pending process. Other methods are working with mobile readers that generate a TAN parallel to the bank. If the numbers match, the transfer will be executed.
Switch the transmission channel
In case of attacks on a technical level the banks don’t want to rely on their clients. They don’t believe that they can win the race against hackers on their own. Therefore, many offer their customers proceedings with a digital signature card or via a Home Banking Computer Interface (HBCI). This completely encrypts all reference data for each transaction with the help of special software and a reader installed on the computer. But such kind of security has its price and is technically complicated.
Other banks are simply changing the transmission channel through which the TAN reaches the customer regularly. Instead of coming through or to the computer, the TAN is sent via SMS to the mobile phone and can therefore not be read by malicious programs. As a precaution, the mobile or mTAN is only valid for a short time; in the SMS, the beneficiary's account and the amount will be repeated and with the input of the mTAN, the customer completes the transfer process.
Out from the frying pan into the fire
However, the mTAN is only used by a few banks, including for instance Citibank, and instead, still leads a shadowy existence in Asia despite the fact that mobile phones already outnumber fixed-line connections. The reason could be that there can’t be given an absolutely guarantee that the message was actually delivered. That’s not really tragic if we are dealing with private greetings, but if a TAN doesn’t reach the bank in time or not at all, the financial institute and the customer have a problem since the transaction may not be executed. Moreover, it cannot be excluded that the SMS is cached on several foreign servers, which represents once again, a vulnerability. Basically, it makes the SMS unsuitable for applications in the banking environment, which has high requirements in terms of protection and fulfilled access security.
SMS with quality guarantee
For SMS’ with such sensitive and time-critical information, the Munich based company TynTec GmbH provides e.g. "Enterprise Quality SMS Services". The SMS operator is as a member of the GSM Association, has network provider status, and offers a guaranteed delivery of SMS within five to 15 seconds as well as appropriate service level agreements.
As TynTec has a direct, redundant access to the mobile infrastructure SS7 due to partnerships with European, American and Asian network operators and holds an own, proprietary Short Message Service Center (SMS-C), the company can evaluate signaling information and deliver for each SMS a "GSM Delivery Receipt" - a confirmation of delivery to the mobile phone- to the banks in real time.
The SMS is kept during the whole transmission of the bank application to the mobile receiver in the high security computer center of TynTec. Under no circumstances are they delivered via a SMS-C of another network operator or cached on a third server.
In addition to the fast and reliable transmission, the protection of information from access by third parties plays an important role, too. The use of the "Enterprise Quality SMS Services" takes place in the enterprise applications via Application Program Interfaces (APIs) on the basis of the SMS standard protocol SMPP 3.4. For the protection of the transfer from the bank to TynTec’s SMS-C, a VPN connection (1024 bit IPSec) is liable, while the forwarding to the air interface is protected through GSM A5 Asymmetric Encryption Algorithm.
This technology could support financial institutions in their age-old challenge of balancing security with usability as mobile authentication can be the linchpin that holds together online banking, mobile banking, and mobile payments in a way that marries security with convenience. So look out in general for solutions that offer several levels of convenience to make customers happy on the front end and a flexible, modular architecture to ease management on the back end.
By Daniela La Marca