Keyboard loggers, packet sniffers, trojan horses and plain old mail theft are just some of the tools that someone can use to get access to another person's online financial accounts. With a little ingenuity, passwords can easily be compromised, guessed or intercepted. Evidence of this can be seen in the two cases this year where funds were stolen using the online banking service of a leading Hong Kong bank.
While the media is guilty to a certain extent of playing up security threats because it makes for interesting reading, the fact is that a user ID plus a password or PIN for access to online accounts isn't really enough to deter a determined hacker, particularly if they have physical access to your computer. This is reflected in the results of surveys from research organizations such as IDC and Gartner that show security concern is still a major reason consumers cite for not using online services.
Singapore-based company SecureAsia, which as its name suggests deals in security products and outsourcing services, is looking to help banks and other institutions strengthen their security and address users' concerns. It plans to do this by popularizing a technology that has been around for a while, but has yet to find widespread acceptance at a consumer level.
The type of technology is often referred to as a hardware token and it enables "two-factor authentication". An illustration: When withdrawing money from an ATM you use your card (something you have) and enter your PIN (something you know). Online identity authentication lacks this second authentication factor, something that tokens have been designed to address.
An example of this kind of device is the product developed by RSA Security, which it calls SecurID. It is a small device generating a new, 6-digit unpredictable "code" every 60 seconds, which is unique to that particular user. This "code" is output on a display panel on the SecurID itself.
The device comes in a variety of form factors; a wallet sized version that is slightly thicker than a credit card, a key ring unit or even a software version that is currently supported for Palm handheld devices and Ericsson mobile phones.
It is the SecurID -- in conjunction with the user's secret PIN -- that provides the second factor in the two-factor authentication. A user who can reproduce the correct code at any given instant effectively proves that he/she is in possession of the SecurID.
RSA says it has seven million tokens deployed globally across 12,000 authentication servers without requiring special hardware or complex software of any kind on end-users' systems.
This technology, like many others, first saw applications in the military, but is now commonly used at a high level in the corporate, government and financial world for things such as physical access to sensitive areas of a building, access to trading terminals or for access to corporate email accounts while on the road.
But SecureAsia's founder and CEO John Lee says his company is looking to further expand the scope of this technology. Besides being an official RSA reseller, the company's main product is its online Identity Verification Service (IVS) that is basically an outsourcing service to take the back-office task of authenticating individuals online off the hands of their clients so they can concentrate on their core business activities. The company also offers management services for larger institutions that want to run their own authentication servers as well a virtual smart card service using the SecurID tokens.
Let there be one
The idea that spawned SecureAsia, says Lee, was that RSA's two-factor authentication technology would be most useful if it could be used for secure access to more than one service.
"I had been working for GE in Asia implementing a SecurID-based system across a wide range of their business activities and I thought, 'Why shouldnt these people also be able to use these single tokens or cards to access their online bank accounts, or securities trading accounts, or whatever, in a secure manner?'."
The benefits from a consumer point of view are easy to see, as the system is both portable and secure. Customers could feasibly access their bank account from an Internet cafT in Kathmandu just as securely as from their home PC.
Lee's vision is that these devices should be as ubiquitous as our plastic ATM or credit cards, but that we wouldnt need to carry more than one of them. There are three main hurdles to this. One is the price of the units getting it down to the point where it's not seen as too expensive for organizations to distribute them to all their customers; two, is getting institutions to agree to use a common infrastructure; and three, being able to offer institutions or companies that dont want to handle advanced security management the choice of an outsourcing partner who can do this on their behalf.
SecureAsia hopes to address all these areas. Through its status as an RSA Certified Solution Provider, it has a distribution and bulk-buying agreement with RSA that it says can help bring the price down to a feasible level for bank customer deployment. An alliance with PricewaterhouseCoopers, which has also taken an equity stake in SecureAsia, has helped open the doors to negotiations with banks in Singapore and the likes of HSBC and Hong Kong Post in Hong Kong and Lee is hopeful that they will see the sense in working with a common platform.
Certificates and signatures
The question invariably arises, how does this vision fit in with the other security concepts du jour smart cards, digital certificates and Public Key Infrastructure (PKI)? This is a question that is probably more relevant for corporate customers that might use one digital certificate for dealing with their bank for things such as cash management and trade finance, and are perhaps looking at using an Identrus-compatible digital certificate for business-to-business activities.
Smart cards are usually promoted as a security solution for this market as they can be used to store an individual, or even multiple digital certificates. This is obviously better than storing digital certificates on the hard drive of a PC, both from a portability and security standpoint.
Lee says that although SecureAsia can offer smartcard solutions, if that is what clients want, the SecurID tokens can also act as a virtual smartcard. Once identity is established through the two-step process of possessing the token and knowing your PIN, the digital certificate can be pulled down from a secure server and used for whatever application needs to be digitally signed.
Physical smart cards are gradually being adopted in the business world, but on a retail level their usage is limited by current low penetration of smartcard readers into the market and the IT support that they require. This, says Lee, is why the token system is an ideal solution for the retail market.
To get to the critical mass stage when there are enough tokens issued to users in a particular market to attract even more organizations to support the technology Lee says his company his first targeting the dominant players in the Hong Kong and Singapore markets, as well as seeking support from their respective government bodies. He admits that it might take some time to strike deals and convince finance institutions' IT teams, plus their business development people of the benefits of SecureAsia's offerings, but he will continue evangelizing the benefits of token-based security if only so he can use the SecurID he uses to access his email account to also do his banking.