Like it or not, banking is moving online in a big way. But as the number of online banking customers grows, so too do the security risks, particularly for high-value commercial banking transactions which make a tempting target for cybercriminals.
HSBC, the global banking group, wants to encourage more commercial customers to use internet banking. But it has long recognised that the security measures used on its personal banking website – a combination of PIN and challenge phrase – were insufficient for business accounts.
To allay widespread fears about internet security among its personal banking customers, HSBC promises to refund the amount of any unauthorised transaction conducted online.
But for commercial customers, the value of transactions can be quite high – HSBC’s UK commercial customers have a £100,000 daily transaction limit – and the risk to the bank is consequently much greater.
To reduce the risk, HSBC recognised it needed a way to better authenticate its commercial users.
“Most banks just re-badge their personal internet banking offering for commercial customers but we recognised that businesses need greater functionality and also better security,” says Trevor Oney, Senior Manager, HSBC’s senior manager for e-commercial banking in the UK.
In 2002, HSBC began to use digital certificates to authenticate its UK commercial banking customers.
“It was spectacularly successful and the fraud levels we got using digital certificates were truly minuscule,” says Mr Oney.
Nevertheless, the use of digital certificates created support headaches for the bank. As the certificate – a small piece of software code – is installed on a specific PC, the customer must always use the same computer to access their bank account.
In addition, certificates periodically expire, obliging customers to download new ones. Sometimes, the certificate was deleted by accident – when a new operating system was installed, for example.
According to Mr Oney, these issues led HSBC to look at a less “intimidating” way to protect its commercial banking customers.
Security experts have long argued that the best way to prove that people really are who they claim to be is using “two factor” strong authentication and this is the approach HSBC chose. With two-factor authentication, the user can only access the site if they successfully pass two separate challenges: one based on something they know, such as a PIN or mother’s maiden name; and the other based on something they own.
In the case of the HSBC, the object of desire is a small electronic device called a “token” which generates a fresh password each time a button is pressed.
The tokens are supplied by Vasco, a Belgium-based company specialised in authentication technologies.
Tokens have been used for security applications for some time– one common application is to authenticate remote users trying to access a corporate intranet –but most deployments to date have been limited in scale.
Nevertheless, for HSBC’s internet banking initiative, the bank ultimately wants to distribute the devices to all its commercial banking customers that have registered to use online banking. That is around 400,000 users or half the total number of business customers that HSBC has in the UK.
The high penetration rates might surprise those critics who once argued that internet banking would never be as popular as branch-based banking.
Mr Oney says customers are today more inclined to use internet banking, particularly for mundane transactions, and the banks actively encourage this by charging lower fees on transactions conducted online.
With such a high number of internet banking users, HSBC realised that it needed a device that was low-cost and, equally important, easy to use if the bank was not to be once again swamped with customer support issues.
Some of the Vasco tokens incorporate keypads for higher security, but for reasons of cost and usability, HSBC ultimately opted for a simple low-end model, the Digipass GO3, which has just a single button and a small LCD screen. The device costs around £2 in large quantities.
Once the user has typed in their user ID and PIN on the internet banking login screen, the system asks for a second password, called a one-time password (OTP). To generate the OTP, the user presses the button on the Digipass device and a unique number is displayed on its LCD screen. The user then types the OTP into the appropriate box on the online banking screen and gains access to the account.
The OTP is valid for 16 seconds, so even if an enterprising hacker had discovered a way to intercept the user ID, PIN and OTP as they pass to the bank’s website – highly unlikely as communications are encrypted using SSL technology – then the hacker would have just 16 seconds to attempt to enter the site. Once the 16 seconds expires, the OTP expires and another one has to be generated.
The tokens have to be physically sent to the users, which creates a potential weak link. Nevertheless, Mr Oney says that even if token is intercepted it will be useless to a would-be hacker because an activation code is needed before it can be used. The activation code is sent separately via internet to the registered user.
Since the initiative started in April 2006, the bank has sent out 27,000 tokens, starting first with new customers.
According to Mr Oney, there have been no complaints about the system and the bank now wants to migrate all its online commercial customers to the new system.
The same token technology has already bee used on a smaller scale with HSBC customers in the US and Hong Kong, and ultimately HSBC plans to roll it out to all the countries where it operates.
Mr Oney says that the token adds an extra layer of security to HSBC’s existing security measures. Even if it is breached, the bank has other security cards up its sleeve. He is reluctant to give too many details, but one measure is to monitor atypical behaviour – sending a high-value transfer to an account in a foreign country that is not on a list of regular payees, for example.
“Technology is important but we adopt a layered approach to security so the OTP is by no means our last line of defence,” says Mr Oney.