Security Check

A quarter of a century ago, Symantec Corp had invented commercial antivirus software to protect computers from hackers. However, a couple of weeks back Brian Dye, the firm's Senior Vice President for information security set the air waves in a tizzy when he was quoted as saying that antivirus is dead.

While that's bound to have multiple ramifications on the antivirus community itself, it also reflects a broader shift in the $70 bn a year cyber security industry. Ajay Dubey, Manager, South India, Websense says that there were 4.1 bn cyber attacks over CY 2013, which roughly translates to a whopping 130 attacks every second with most of it aimed at financial gain. Ritesh Chopra, Country Manager-Sales, India, Norton by Symantec echoes points to the recent State of Financial Trojans of 2013 report by Symantec, which states that India ranks #7 in the number of computers compromised by banking Trojans in 2013, "making our country vulnerable to targeted banking attacks."

Given the backdrop, security software solutions have found an increasing usability within banks and all forms of e-commerce verticals providing user authentication processes and services. In fact, the market for multi-factor authentication processes alone is expected to reach $10.75 bn by 2020, at a CAGR of 19.67%, according to a new market research report titled "Multi-Factor Authentication Market by Model/Type (Two, Three, Four & Five-Factor), Application (Banking & Finance, Government, Defense, Healthcare and others), & by Geography-Global Trend & Forecast to 2014 - 2020", published by MarketsandMarkets.

Srinivasan CR, Vice President, Global Product Management, Datacenter Services, Tata Communications says that the growth signifies that the market requirement will grow as more and more applications will move to the cloud. Developed markets will grow at 10-15% of CAGR, however developing markets are expected to grow at 18-22% of CAGR, he adds. In March this year, Tata Communications entered into a global partnership with information security experts, SafeNet to provide cloud-based multi-factor authentication as a managed service. Claimed to be a first-of-its-kind service in India, the cloud-based delivery model enables businesses to implement multi-factor authentication services that verify the legitimacy of a transaction and secures access to corporate networks.

Currently, the global market for user authentication services is estimated to be over a $1 bn, 10% of which is estimated to be the size for cloud based deployment. That, combined with the rising instances of phishing and pharming attacks on online transactions has meant that solutions and service providers have great times to look forward to.

Typically, two-factor authentication model covers almost 90% of the market for multi-factor authentication, wherein banking and finance, travel and immigration, commercial security are the major applications. When compared to two-factor authentication, three, four, and five-factor authentication models are less used. The three-factor authentications include smart card with pin and biometric technology, smart card with two biometric technologies, pin with two biometric technologies and three biometric authentications. On the other hand, four- and five-factor authentication includes the use of smart card and pin with more than one type of biometric technology such as face recognition, fingerprint recognition, voice recognition, and so on. Three-factor authentication is mostly used in private access areas like bank lockers, secret data access, defense, travel & immigration. The use of four- and five-factor authentication models is restricted to high cost projects in defense, research, and government-based applications.

Today, North America is the biggest multi-factor authentication market; followed by Europe and APAC. Nitin Rakesh, the newly appointed CEO of Syntel points out that in the United States, the biggest security threats arise from Trojans Web injection (modifying the contents of web pages before displaying them to the user), hijacking an HTTP/HTTPS session (the ‘man-in-the-middle' attack), spoofing an authentication form or redirecting to a targeted phishing page, making screenshots of the desktop or keystroke logging.

THE RISK DRIVERS

Ashish Thapar, Head, Global Consulting and Integration Services (GCIS), India and South Asia, Verizon Enterprise Solutions says, "Privacy is low in India. India can definitely do more when it comes to data security when compared to their European counterparts." The RBI however, he points out is doing some wonderful work and the scenario today is much improved compared to some ten years back.

Web-based financial transaction systems have come under repeated attacks resulting in serious loss of revenue. And, identifying the end parties and securing the communication channel solves only one aspect of the bigger problem. The core problem with secure communication is that of setting up trust between two parties. This secure channel is required to keep their messages secure from both eavesdropping as well as message-integrity-violation (modification in transit).

Sanjay Deshpande, Co-founder and CEO of Pune-based security technology provider, Uniken lists dependence on 3rd-party software for authentication and encryption as one of the topmost reasons for trust deficit between partners. He says, "the advent of Certification Authorities and SSL is the result of an extremely myopic vision, one which limits the scope of security to providing a secure between two unknown, ‘un-trusted' parties for data to move securely while completely ignoring the identity of the end-points between which that data travels." Channel Security between parties during communication is important, but its importance is lost to the point of irrelevance, if it is not preceded with end-point authentication -validation of the real-life trust relationship between them.

Dependence on email for communication between bank and customer is another risk driver. Considering the value transactions, especially those of corporate customers, the risk involved is higher and makes the need for military grade security paramount. Customers often use banking services on the go-to make payments, check balances, approve transactions, etc. They also need means to communicate and share files with bank employees over a secure channel that is currently accomplished through public email, communicators, FTP, SFTP which are vulnerable to malicious attacks.

Then again, unsecure sharing of customer data with vendors/partners (bill printers for example). The extended enterprise is a reality. With growing sophistication in both the engagement models and delivery channels, it is becoming increasingly critical to extend the enterprise boundaries to cover the external partners. Partners also need a means to communicate and share files with an organization over a secure channel that is currently accomplished through vulnerable channels such as email or FTP which are vulnerable. Sometimes, providing VPN based access is not only unviable in these cases, but is also extremely costly, due to the overhead costs of managing these networks.

Kartik Shahani, Regional Director, India and Saarc, RSA says the problem, though not as big in India as it is globally, is likely to snowball unless Banks take preventive steps to curb the attacks.

Jan Valcke, COO and President at Illinois-based, Vasco Data Securities points out that the first sector where the potential risk from the internet started to appear, was in banking. "It appeals to cyber criminals for exactly the same reason it appealed to bank robbers since the days of the Wild West: it's a source of high value transactions and a gateway to someone else's money." Moreover, there is more to fetch than just banknotes. Hackers are also interested in customer information or intelligent property, or they may break into a smaller supplier's database to use it as a steppingstone to reach a larger company's information and data.

WHAT DO BANKS WANT?

Traditionally, banks have delivered services through internet banking on desktops & laptops and via mobile banking for smart phones and tablets. This heterogeneous user experience has resulted in a complex back-end delivery infrastructure which not only creates significant barriers for faster time to market but also gives rise to security concerns, says Valcke. The underlying public internet technologies have been time and again proven to be insecure, with banks being a regular target of phishing, MITM, MOTM, and MITB attacks.

 

"Retail banks today primarily look for Multi-factor Authentication, which leverages the Cloud and Phone-as-a-Token Authentication-essentially using a smart phone as a OTP token. Other methods include virtual keyboards and biometric authentication, using factors such as face topography, iris structure, the vein structure in a hand or fingerprint, or voice and typing rhythm," says Rakesh of Syntel.

WHAT THE BANKS ARE DOING

Vishal Salvi, Chief Information Security Officer at HDFC Bank says, "Various aspects are taken into consideration while setting up a secure authentication process. You have to differentiate between rogue individuals and genuine customers. First you identify rogue sites then you monitor them. Look for IP addresses with questionable reputation."

An ideal security architecture, according to Salvi, is a combination of both, hardware and software plus services. "At HDFC Bank, multi-layered authentication processes have been in place for the last 6-7 years. There is a constant review process. Besides we also have traditional firewall applications in place. HDFC Bank spends 7-8% of its IT budget on security. We spend a long time on risk analysis to stay one-step ahead of the game because the risks keep changing everyday."

The security of online accounts will remain one of the major challenges for the Internet sector, says Valcke. Consumers and companies worldwide doubt the value of static passwords to secure their accounts. Additionally, more and more smart card and mobile phone devices are used to perform contactless payment. However, there are some security risks involved. This new technology based on NFC gives hackers new possibilities to intercept, modify or replay transactions. Moreover, it is also possible to copy data that are not properly protected from a NFC device using a specific program running on a smart phone. And last but not least, strong authentication and Fraud Risk Management (FRM) solutions have become hugely popular at banks of all sizes due to the increase in popularity of both online and mobile banking. Reserve Bank of India (RBI) increased the limits for transactions for online and mobile banking, which has resulted in a huge uptake of customers going online for transactions thereby resulting in an increase of awareness of online security.

NO BLANKET SOLUTIONS

Thapar at Verizon says, "Banks need to arrive at a security solution from a business perspective." Look at their banking channels and then arrive at identifying threats and vulnerabilities. Standards like PCI and ISO 27001:2013 help banks arrive in their decision-making. Depending on areas of criticality, banks should build a firewall, he cautions. He echoes that how third-parties are accessing banking network should be carefully assessed. After all, non-disclosure agreements are just a tick in the box.

While a single-solution-to-all-problems approach may not be the answer, it is clear, that there is a need for a unified user experience across various digital channels along with end-to-end security to enable trusted relationships with the banking customers.

 

Uniken suggests that banks need to:

• Think out of the box with regards to securing their internal-facing as well as external-facing services/assets
• Be wary of and not get comfortable with the implementation of SSL/VPN/OTP - these do not provide foolproof security to their customers
• Explore custom-made security solutions that address inherent concerns with current tools that have proved to be inadequate

Srinivasan at Tata Communications says, "Traditional multi-factor authentication services require on-premise hardware investment, maintenance and the right skills for management, which together act as a deterrent for deployment. "We have brought a cloud-based multi factor authentication system into the market which gives the enterprises the option of being able to use dynamic password in different form - soft tokens and hard tokens." This service is Service Assertion Markup Language (SAML) which allows the users to login to multiple application or usage of the same authentication that they have done. This allows the user to visit multiple sites without logging in multiple times. The customer need not go through the process of setting it all by himself including hardware installation. He just needs to buy hard tokens, however, most of the people today prefer soft token as well. Most importantly, it is a ‘pay-per-use' service.

Syntel, on the other hand is focused on enabling their banking customers to transform the user experience through digital offerings like ‘digital wallet' apps, tokenization and Cloud-based authentication services. The other big thing that sets them apart, says Rakesh, is their accelerator-based fraud analytics services. Engineers and mathematicians work in the big data practice, and have built a number of utilities that lets their customers comb through massive amounts of data to identify fraudulent transactions and even employ predictive analytics to identify fraud activity as it's happening.

At Vasco, smaller banks usually opt for VASCO's authentication server tool, the so-called IDENTIKEY Authentication Server Banking Edition. Larger banks want a tighter integration for their online banking solutions, so they usually choose the authentication API solution (viz.

VACMAN Controller), says Dalcke. Most of them offer a higher level of security with the HSM (Hardware Security Module) license. On the client-side solution, they have a host of end user authentication devices, called DIGIPASS. These devices-either hardware or software-enable users to generate one-time passwords for secure logon to online applications, or electronic and digital signatures to secure transactions.

Clearly, the threat looms large and nobody knows who's going down next. But when it comes to security, there's no such thing as too much. The good news is, thanks to some stringent regulations, processes are already in place in most case, and merely require an updation of technology. The RBI regulations, industry compliances and every bank's self-security measures have helped. But let's not forget that one of the chief reasons for the relatively lower cases of online frauds in India is the low usage. For a country with the size of India, less than 30-35% of the population uses a plastic card. And a lesser percentage goes online. Not a comforting thought, that.