Security x.0

Since the beginning of the 2FA "hype", many have advocated that the most reliable way of authentication is when it's taken Out of Band, meaning that authentication happens on a different channel to the one where the action requiring authentication is taking place.

In the online banking world it means using a different channel to the Internet connection to customer's computer (the most insecure banking terminal), generally achieved by providing additional authentication codes via SMS messages or phone calls. Overall, this is definitely a better idea than asking the user to e.g. manually re-enter transaction details into a separate device or having them to connect another device to the computer. The issue however is that of cost and availability...

SMS has never been a Quality Assured channel as it mostly works in "fire and forget" mode, with delivery speed depending on many factors outside the sender's (bank's) control. The bank also has to maintain the current user phone number and have a secure procedure for changing it. Furthermore, the cost of an SMS is still relatively high. Assuming 1m online users with 10 transaction per month, the bank will be sending 10m messages that, at the average SMS cost of 5 cents, will translate into 0.5m euro per month or 6m euro per year (or 6 euro per user per year).

A phone call is a better option since it establishes a real-time independent connection with the user and has, in principal, unlimited bandwidth (subject to cost and usability). It does come at the price of a higher overhead in managing multiple user's phone numbers and the cost of the call varies depending on a particular implementation and user location (wouldn't want to use this method on a mobile phone during a holiday abroad where a missed call can cost 5 euro, thanks to hidden operator's charges!).

The SMS/phone call Out of Band approach works as a relatively simple to roll-out complimentary method of authentication suitable for small size deployments. It does not scale. When having just 0.1% failed/delayed delivery rate for the SMS would mean 1m failed transactions per month for a bank with 1m online customers – this will have a significant impact both on customer retention levels and the support calls volume (and associated costs).

If only there was a way of establishing an independent secure communications channel between the user and the bank that will have high availability and no operational cost

At Cronto, we believe the visual channel meets these requirements. The bank can generate a special image – e.g. the Cronto visual cryptogram – that could be displayed in any browser just as any other image (= no cost and availability issues) and the user can decode it using an independent device: a cameraphone or a standalone optical token, ensuring channel separation.

The use of visual channel is definitely gaining momentum; Cronto has recently launched the deployment with Commerzbank AG, a number of vendors are announcing optically capable devices, and academic researchers are designing cameraphone-based solutions:

• Gemalto Unveils World’s First Optical Reader for Online Banking that Fits in a Wallet
• Die neue Messlatte im mobilen Onlinebanking: chipTAN comfort
• Digipass 835, VASCO’s new card reader with optical interface
• Fotohandy-PIN: Trojanersichere PIN- und TAN-Eingabe via Fotohandy

This month Finextra has launched the Innovation Showcase – "a new feature on Finextra.com highlighting the most innovative financial technology developments over the past 12 months". Cronto is pleased to be named as one of the leading innovators in Authentication and Security category.

Using innovation to improve processes and focusing on retaining the customer is vital in the current economic environment, and the visual channel offers the optimal Out of Band-type solution for banks looking to reduce/prevent fraud damages in a cost-effective and scalable way, while delivering better customer experience.