Looking at the global transactions which is happening online, unfortunately less than 5% to 10% of people use the second factor authentication. A large population of the world is highly vulnerable to fraud. Many banks are now implementing 2 factor solutions and backend platforms to ensure that the consumers who are doing some transactions online are enabled to receive a PKI token or any other secure method to authenticate themselves securely. On the same lines, Dataquest spoke to Atul Singh, Director- Banking, Transport & Telecom Solutions, Gemalto and got to know more about the trends that are shaping the security space in India. Excerpts
What are the trends that are shaping the banking security space in India?
There are multiple ways to do banking today. You can either do it on a website or on your mobile, you can go to a bank, you can go to a merchant or go to an ATM to pay and withdraw money. Presently the entire focus of the Indian government, as well as RBI, is to ensure that all transactions that are happening, online or offline, are secure and how fraud can be reduced.
We are doing a large number of transactions using payment instruments such as credit cards or debit cards. When you go to a bank ATM or when you’re doing online transactions, you might be vulnerable to frauds. Mag-stripe data is a static data on the magnetic strip which can be copied any time and it can be skimmed. The same card can be duplicated in many ways.
One of the regulations that have been announced by the RBI is to ensure that all banks issuing any card, which is a prepaid card or a credit card or a debit card, should be chip and pin enabled. This means that it should be an EMV card that has a chip and pin. This gives you an extra level of security when you’re doing transactions at PoS terminals, at a merchant or withdrawing money from an ATM. A chip and pin card gives you additional security, because each transaction that you do using a chip and pin card is digitally signed using PKI technology which has multiple levels of cryptography algorithms that secure the transactions.
A lot of countries across the world have migrated to chip and pin and India is one of the last countries to make the chip and pin card mandatory. In India, the RBI has issued guidelines for mandatory chip migration beginning first of September 2015. India is one of the biggest democracy in the world, with a very large population and with more than 0.5 billion credit and debit cards in circulation. It is the biggest opportunity for industry players. Starting from the end of this year, in the coming three, four years, all cards in circulation will be chip and pin enabled.
So this was part one. Now, whenever a transaction happens while you are present there it’s a card present transaction. Also, when you go to an ATM to withdraw money that is called a card present transaction.
Most of the banks allow consumers to do online banking and then when the card is not there then what can be done? So for card not present transactions most of the banks are enabling PKI technology for a second part of authentication.
We are also supplying the back-end authentication servers to banks, so that all the consumers who login online can actually have a second factor of authentication which could be a token or any form of a USB device to authenticate themselves as a second factor or third factor. So the first factor is the username and password and in a way this can be hacked in less than a minute, so any website where you only are using username and password, technically it can be hacked in less than a minute.
In what other ways can online fraud be prevented?
When you do an online transaction, there are multiple ways it can be hacked. You can either be directed to a wrong IP address or fraudulent IP address, suppose you are punching in your card details online and it goes to a different IP address, which could be from a hacker. When you log into your bank id, say for example, to transfer money from your account or somebody else’s account, it can actually be hacked by a hacker sitting anywhere in the world. And that is why you have ensure that this transaction is encrypted so that it cannot be understood by a hacker.
This is where, PKI security—PKI enabled security comes in. So suppose for example you are using your mobile to transfer money, you must ensure that your transactions are encrypted, and this can be achieved by a secure element in your SIM card or a secure element in your phone which will have your public private key pair. This will be used to digitally sign what you’re doing online. We call it mobile ID.
You basically use PKI technology to generate the public private key pair and the security comes from the fact that the private key which is generated always the sits in the secure element. So today, for example, many phones have a secure element built-in or many countries have adopted high end SIM card which have a secure element in them.
This is called a PKI SIM card. Countries like Norway, Finland and Oman, South Korea, Russia and the Euro zone have implemented this. So all these countries have the ecosystem where the telecom operators, the banks and the service providers are connected to the central platform and any transaction which is happening is actually signed using your private key and the phone is always with you, the private key is always with you, the private key never travels on any channel.
And therefore, anything which is usually signed using a private key which is in a hardware secure element, is extremely secure.
Has Gemalto deployed EMV cards in any other developing countries also?
Yes. India is one of the latest ones to give a mandate. We are providing EMV solutions to more than 40 countries worldwide.
And many more countries are actually moving towards EMV standard. If you talk about developing countries -Bangladesh, Sri Lanka, Nepal are all are using EMV cards. And most of the countries have actually adopted it, I mean, not as a mandate, but many banks of their own are implementing EMV solutions. Most of the Indian banks, I believe in the last three years have already implemented the EMV technology.
So beyond safer transactions, how can EMV enable a more efficient lifestyle?
Peace of mind and convenience, because EMV is actually enabling trust in the consumer’s mind. If there is lack of trust you cannot do something. We are building trust between the consumer and the bank for them to safely and securely transact. This communication could be from a website to a bank, from a phone to a bank or from a phone to a website. So we are actually enabling trust in this whole ecosystem.
When you have an ecosystem where there are many banks, many operators, many service providers and the e-commerce websites so within the whole ecosystem you need to build trust in the consumer’s mind. Gemalto is actually ensuring that there is trust by making each transaction safer whether it’s from mobile to mobile or mobile to website or between two banks. We also provide solutions for secure bank to bank transactions.
What is Gemalto’s role in ensuring security across the banking and telecom space?
We provide many solutions, like the Trusted Service Manager solution (TSM) where we enable mobile financial transactions across the ecosystem. We have built datacenters across the world, where we are providing this Trusted Service Hub (TSH) or Trusted Service Manager solution. So, where our datacenter is connected to the operators, our data center is connected to the banks and we are connected to the service providers. We have operators, banks on the same data centers to build the trust.
Countries like Singapore and Japan have all implemented TSM, whether it’s a SPTSM which is service provider TSM or an MNOTSM.
We are building this eco-system where we enable all the banks to be connected to the operators and I can be one operator’s subscriber and I can download a Visa or a Master card App on my SIM card, and then complete a very secure transaction without having the card in my wallet. I can use my phone to do all those secure transactions.
To elaborate on TSM which is Trusted Service Manager – in a very simple language whatever the credentials of your credit card or let’s say bank account details, if you have to make a mobile payment, those need to be transferred to your mobile in a very safe way. So that is where the TSM plays a role. From your bank account or the credit card, details are shared over the air. It will be transferred to a secure element in your mobile phone and then you can start using it. Atul also mentioned about Trusted Services Hub (TSH), you might have heard that the handset makers or mobile network operators are coming up different kinds of mobile payment options.
And so, if I’m a bank or if I’m a service provider and I want to cater to all types of handset devices in the market, having different kinds of technology in it like HCE, etc.
So, we need is a centralized mechanism which can transfer the credentials of the credit card or the bank records account to any type of device in the market. So this is called as Trusted Service Hub.
How does mobile ID benefit the government and citizens?
Today if you have to sign a document, it could be a tax return or it could be a legal document, which you want to sign digitally, you need your laptop and you need a digital USB token, which will actually have your digital signatures or your digital credentials and your digital certificate. So these two things are required as on date in India to do any digital signing. This started in India in the year 2002 with MCA21 project where all the companies in India were mandated to submit returns online at the end of the year.
Since then most state governments and central government officials have been issued this USB PKI token which actually is a digital certificate for them. So they can actually do digital signing which is recognized legally in India equal to the vet signature.
In the previous era you needed a laptop with the USB port and you needed a PKI token to do digital transaction. The mobile ID is actually combining these two and giving you the same level of security using your mobile phone. So what we are essentially doing is that USB token is actually has a chip acting as secure element. A secure element by definition is a memory area which does the cryptographic transactions.
It’s different from a normal memory, because it can actually do cryptographic transactions. You need a co-processor or multiple processors to process complex algorithms, which actually generates the secure pins. What we do is, the SIM in your phone now does the function of the secure element from the USB token.
For example, you can to access your bank account using mobile ID. When you open the website, you will be prompted for putting in your username and your password. So that is the traditional way of accessing your bank account.
Or you can also have a tab which will say, please login using mobile ID. So, in mobile id – the user name is only your phone number. So, in the traditional, you know, world you have got may be 20 user names and you know 15 passwords or may be 20 user names and 10 passwords. But using mobile ID, your identity is your phone number, common across all logins and then your password can be a simple four or five digit pin, it’s like an ATM pin.
So, the only thing which you have to remember is your phone number which is your username and the only password is actually your four digit or a five digit pin which you yourself choose.
So, when any user log into his/her bank account and it says please login using mobile id, so the user can just click on that tab and put his/her mobile number as the username and then, click, okay. Then, from the Gemalto platform, it sends back an SMS to the user’s mobile that are you trying to login to your bank account. So when the user okay’s the request he/she will be directed back to operator, to the platform which is connected to the bank website.
And when the user chooses to say okay, then the user is digitally signing the request. So, it will say, please enter your pin and then the user should enter his four digit pin and with that the user will be authenticated on the website. So in this way, you are accessing the website using IP, using one channel – the internet channel and you’re authenticating yourself using the mobile channel via the operator.
So the access channel and the authentication channels are different. So hacking in a mobile ID scenario it is extremely difficult because today, if I’m sitting and doing a web transaction and transferring money, using my laptop or even if I’m using a phone to transfer money using a website, I’m accessing through the same channel and authenticating on the same channel.
But when I segregate the access and the authentication channels, it becomes extremely difficult for a hacker to hack first of all the operator’s SMS channel and also hack the IP channel through which you are accessing it. So this is called the out of band authentication. So OB authentication is the most secure way of authenticating yourself and if it is, PKI authentication using a secure element, it’s the highest level of secure channel in the world.