Digital Transactions Authoritative, insightful and timely information for payments professionals
Security
Peter Lucas
While it’s effective against malware like the pesky Zeus Trojan, banks have been slow to adopt out-of-band authentication. Now, with mobile and P2P applications growing, that may soon change.
Imagine the following scenario: A cybercrook plants a malware Trojan, infamously known as Zeus, in the Web browser of a consumer’s personal computer. Unaware of the Trojan, the consumer initiates an online bill payment to ABC Company through his bank.
As the request is sent to the bank’s server, it is intercepted by the Trojan, which changes the amount of the payment and final destination to an account controlled by the crime ring. The new transaction information is then forwarded to the consumer’s bank.
Upon receiving the request, the bank contacts the consumer on his cell phone via a text message or automated call notifying him a bill payment to XYZ Company has been requested at a certain dollar amount. The consumer is instructed to enter his PIN or provide the answer to a security question to authorize the transaction. Instructions are also provided about what to do if the consumer did not initiate the transaction.
Recognizing the transaction as phony, the consumer denies the transaction and breathes a sigh of relief. Meanwhile, the bank burnishes its reputation as a financial institution that provides its customers with a secure online environment for payments.
The technology that thwarted the fraud in this scenario is known as out-of-band authentication, or authentication via a channel outside the one being used for a transaction. In the past year, it has been receiving increasing interest from financial institutions in the United States as a way to deal with the latest generation of malware Trojans like Zeus that attach to Web browsers.
‘A Larger Payday’
Despite that interest, however, U.S. banks have been slow to roll out out-of-band authentication. Research by Gartner Inc. analyst Aviah Litan reveals that 23% of the 76 banks surveyed in 2011 are using text messages sent to cell phones to authenticate online transactions initiated by consumers and 19% are doing so for transactions initiated by businesses.
At the same time, 20% of banks are using automated calls to authenticate online transactions initiated by consumers; 16% are using them for transactions initiated by businesses.
In a 2008 Gartner survey, 21% of 50 banks used automated calls to authenticate online transactions initiated by consumers and 19% did so for transactions initiated by businesses. Banks were not asked about the use of text messages in that survey.
“There is growing interest in out-of-band authentication, but the adoption rate has not grown much in the past few years,” says Litan. “Part of the slow adoption curve has to do with banks not really seeing a need for it.”
Now, though, the wave of Zeus attacks could change that. “With the Zeus attacks, more attention is getting focused on the need to raise the level of security and authentication around online transactions,” says Litan.
The Zeus attacks, which came to light last year, were directed primarily at small businesses. One of the tricks used by criminals deploying the Zeus Trojan was to reroute electronic payroll deposits to accounts they controlled.
“There have been five-figure and six-figure heists from payroll accounts,” says John Zurawski, vice president of sales and marketing for Authentify Inc., a Chicago-based provider of fraud-prevention software. “Small businesses have been under constant attack by cyber criminals the past 18 months, and that’s because they represent a larger payday than consumers.”
With the Zeus malware, criminals can reroute payroll transactions by changing the automated clearing house routing number to an account they control. They can also do the same for bill payments. “For small businesses, out-of-band authentication is a big plus because one fraud attack can deliver a severe blow to their finances,” says Zurawski.
Authentify services 80 banks in the U.S. including Bank of America, Fifth Third, HSBC, and Wells Fargo.
It Starts with Enrollment
Although rollout efforts for out-of-band authentication have been focused primarily on businesses, attention is beginning to be turned to the consumer market. Cash Edge Inc., a New York-based provider of person-to-person payment applications, uses out-of-band authentication as part of its fraud-prevention arsenal. Rival PayPal Inc. uses the technology, too.
“Securing an online transaction requires multiple risk-management tools, and out-of-band authentication is another tool,” says Manish Vrishaketu, vice president of Business Development for CashEdge.
Some of the instances in which banks may want to use out-of-band authentication for an online bill payment or P2P transaction include when a consumer sends to a first-time recipient, when the amount exceeds a risk threshold set by the payor’s bank, if there are attempts to move the funds faster than normal, such as on the same day, or if a recipient’s e-mail address has been associated with a flagged transaction in the past.
“When to use out-of-band authentication will vary by bank depending on their risk-management policies,” says Vrishaketu. “But with P2P growing, banks are going to want to be sure to provide a secure environment for those transactions.”
The starting point for successful out-of-band authentication is the enrollment process. Because consumers typically enroll online rather than face-to-face, they must first be authenticated. Banks will ask the consumer a series of security questions based on personal information gathered when she opened the account. This information is considered secure because it most likely was provided before any criminal could attach a spyware Trojan to the consumer’s Web browser.
In many cases, the consumer will have to provide answers to more than one question and may even be asked to contact a customer-service representative by phone to complete the enrollment process, just in case a Trojan has recently been attached
During enrollment, consumers are usually asked to create a PIN and provide an answer to a security question. Consumers are also asked to provide their cell-phone number. The bank can cross-reference the number provided against one on file for the consumer. If a cell phone number is not on file, the bank can run the number against a database of numbers known to have been ported from one phone to another or assigned to a disposable device.
When a transaction is authenticated using out of out-of-band technology, the consumer is asked to provide a PIN, enter a single-use security code sent to her phone, or answer a security question. Consumers typically have a time limit in which to respond, usually one to two minutes. If no response is received, the transaction can be denied or put on hold while additional attempts are made to reach the consumer via an alternative phone number.
“Registration is only part of the process,” says Janet Kapostasy, vice president for institution services at Mentor, Ohio-based CardinalCommerce Corp., a provider of payment authentication and secure transaction solutions for e-commerce and mobile commerce. “Followup education is needed so consumers know what to do if they lose their phone, how the authentication process works, and when to expect it.”
Cardinal is working with MasterCard Worldwide on an out-of-band authentication solution for its MasterCard Mobile application. MasterCard declined to be interviewed about how it is using out-of-band authentication.
The Smart-Phone Issue
Consumer education is important because some banks are not sure how consumers will respond to the added layer of security that out-of-band authentication provides, according to online-payment security experts.
“Although consumers are used to receiving alerts about account balances on their phone, some have been known to complain about having to move through additional layers of security to complete a transaction,” says Calvin Grimes, product manager for mobile solutions at Brookfield, Wis.-based processor Fiserv Inc., which uses out-of-band authentication.
In February, Fiserv acquired Mobile Commerce Ltd. (M-Com), an international mobile-banking and payments provider.
Educating consumers about the added security out-of-band authentication provides can help financial institutions expand their use of the technology. One opportunity is to use the technology to validate suspect credit card transactions.
For instance, a consumer who is traveling makes a purchase at a brick-and-mortar retailer in a state where he has not used his card previously. The card issuer can send a message to the cardholder’s cell phone requesting validation of the transaction.
“Out-of-band authentication is not just about securing online transactions, but transactions in the physical world,” says Grimes. “There are consumers that place a high value on security and the more banks can demonstrate that mobile phones can be effectively and conveniently used as part of the security process, the more accepting consumers will be of it.”
Consumers’ growing reliance on smart phones is expected to eventually force financial institutions to rethink their definition of out-of-band authentication and how they will deliver the authentication message. “As more consumers initiate transactions using their smart phone, sending a message to the phone to validate the transaction is not out-of-band authentication,” says Gartner’s Litan.
One solution is for banks to create transaction applications launched using the phone’s Web browser. Doing so allows for continued use of automated calls to the phone to verify a transaction, since the authentication process does not involve the Web browser, which can be corrupted by malware.
“The key is to get the verification conducted outside the phone’s browser because malware can be attached to the browser, just like on a computer,” says Litan.
Other solutions include so-called lock-down applications to secure the phone’s Web browser by limiting a consumer’s activity, such as the Web sites they can access. Trojans are frequently attached when browsing the Web.
The Real-Time Edge
“Mobile banking and transactions are in the adolescent stage right now, but as consumers conduct more of these transactions, financial institutions need to figure out a way to secure the points of attack that criminals will exploit,” says Phil Blank, senior research analyst at Pleasanton, Calif.-based Javelin Strategy & Research. “Downloading mobile applications is a potential way to import malware that attacks the Web browser. Consumers will need assurances the apps they download are secure. The attacks that are happening in e-commerce will happen in m-commerce.”
The final frontier of authentication in the world of mobile commerce will be voice identification. “If the phone itself falls in the hands of criminals it does no good to send a verification code to the phone for the criminal to re-enter,” says Authentify’s Zurawski. “The way to defend against such a situation is voice authentication, because voice prints are one form of authentication criminals cannot duplicate.”
Ultimately, payment experts predict financial institutions will get behind out-of-band authentication once P2P payments become mainstream. “The advantage of out-of-band authentication is that it occurs in real time, so banks can see which transactions need to be verified based on their risk-management guidelines,” says Blank. “That can’t be done in batch, which is how a lot of banks approach sending out alerts to their customers.\”
As with any new security technology, adoption by financial institutions will be driven by weighing the cost of deployment against potential fraud losses. Since of out-of-band authentication requires no hardware or cards to be distributed to consumers, the cost barrier is relatively low.
Further, payment experts agree that many consumers are taking a greater interest in online security and are embracing banks that provide a sense of security in the online and mobile channels.
“It’s a cost-effective technology that can make consumers feel more secure,” says Reetika Grewal, director, Partners & Solutions, at ClairMail Inc., a San Rafael, Calif.-based provider of mobile-banking applications. “P2P and bill payment are moving beyond the online channel, and banks are realizing they need to get their arms around the risk associated with these transactions as criminals get more sophisticated at exploiting them. That means adding another layer of security where necessary. That’s what out-of-band authentication does.”
