Hardware vulnerable in two-factor authentication

Two-factor authentication that uses password-generating token cards may be an extra measure of security, but it is not tamper-proof, says mobile banking software vendor Meridea.

Hardware tokens generate new personal identification number (PIN) within a specified period of time, usually a minute, said James Chong, Meridea's senior vice president of sales. When a bank customer logs onto a fake copy of a Web site and enters the PIN generated by the token, cyber criminals can then extract that number to validate transactions on the actual site within that one minute, and commit fraud, he said.

To overcome this, Meridea this week launched a new software authentication product that involves the use of Java-enabled mobile phones, said Jukka Riivari, CEO and president of Meridea. With the software, the user has to complete a "challenge-response" sequence using a numeric code delivered to the mobile phone from the bank's server in order to complete the transaction. Each code is unique depending on the transaction details.

The financial services sector has traditionally been a target of hackers and cyber criminals intent on financial gain.

Two-factor authentication has been tipped to be a necessary step forward to minimize fraudulent transactions. It typically involves the use of security tokens, SMS (short messaging service), smart cards and biometrics in addition to passwords.

Its use is not new to the region. Hong Kong banks implemented two-factor authentication last June for all high-risk retail Internet banking transactions including fund transfers to non-designated accounts.

The Monetary Authority of Singapore issued a guideline to banks in the island-state, urging them to adopt two-factor authentication by December this year.

According to Meridea's Riivari, Australia and Malaysia are also starting to put guidelines in place.

The mobile phone is a device that is "precious", he pointed out. The time taken for an owner to discover the loss of his mobile phone is likely to be much shorter compared to the loss of a token card, which is used only when someone needs to make a banking transaction.

It is also cheaper to store authentication software in mobile phones, Riivari added. In the implementation of hardware tokens, recurring costs such as the replacement of lost or faulty devices are significant, and can range from S$40 (US$24.50) to S$60 (US$36.74) per user per year, he said.

Riivari estimates that banks that use software tokens can keep their implementation and recurring costs per-user under S$10 (US$6.12) a year.

He declined to say how much banks would be required to invest, but did say that companies can deploy Meridea's authentication software on a yearly-based service and licensing fee model.

Riivari however, conceded that Singapore banks may not be keen on the software-based authentication model, preferring instead to implement two-factor authentication that uses a mixture of both hardware and software tokens.

Banks will want to cater to customer who do not have Java-enabled phones, but who still want to access online banking services, he explained. To address this issue, he suggested that banks offer Java-enabled phones to their customers, and offset the cost from the savings achieved from using software-based authentication.

Meridea is currently running several pilots worldwide on its new mobile authentication software, including one in the Asia-Pacific region, and an online gaming business, said Riivari. The company is also targeting other markets in the region, including China, Hong Kong and Taiwan.