For financial institutions, protecting user accounts from online fraud is a top priority. But how can this task be accomplished while preserving customer-friendly procedures? Complex and cumbersome authentication methods -- such as biometrics and digital certificates -- can be a turn-off for end users and can be expensive to deploy and operate.
One alternative option available to financial service firms is to implement an out-of-band authentication system as an added layer of protection for all sensitive or high-value transactions. By definition, out-of-band authentication uses a channel or communication path that is not directly associated with the access path to the application or data.
Put simply, rather than relying on only a single potentially vulnerable channel for application, data access and authentication, out-of-band authentication requires a separate, discrete pathway, such as a telco network, be used in the authentication process. This provides a second secure channel in the event the primary Internet channel is compromised. An attacker would have to exploit both the Internet channel and the secondary one -- the phone network or end-user device -- to launch a successful attack.
While some may argue out-of-band authentication adds complexity to the authentication process, these systems only require the user to have a cell phone or home phone in which to receive a code or respond to a voice prompt. They also require little training, and the cost to deploy may be lower given the use of end-user phone equipment and the public Telco infrastructure.
Just how does out-of-band authentication work? Here are some examples:
Text messages
When an authentic customer logs in to a financial website with a username and password successfully, the user is prompted to click a button to send a numeric code via SMS to the cell phone number on record at the bank. The user receives the one-time code on the cell phone and enters it on a second secure Web page and clicks the "verify code" button to confirm the correct user is in fact at the other end of the phone.
With this type of out-of-band authentication system in place, even if an aspiring criminal were to obtain a customer's username and password, the account compromise attempt would be thwarted because the attacker would be unable to receive the one-time code sent to the customer's cell phone. Should this scenario play out, the customer would receive a cell phone call by the application, alerting him or her to the attempted fraud. This enables the customer to contact the financial institution and report the attempted unauthorized access.
Telephone
Another out-of-band authentication scenario would involve the same set of steps with the legitimate user logging into the financial website, but instead of receiving a text message, the user would be asked to initiate a call back by clicking on a button on the Web page.
This method requires the customer to use the telephone associated with the phone number on file with the financial institution as a second form of authentication.
The financial institution's out-of-band authentication server calls the customer and a voice prompt asks the user to recite a word or enter a numeric code presented on the financial Web page. If the customer is indeed initiating the authentication, he or she will easily pass the challenge by simply reciting the word or entering the code using the dial pad. Without access to the customer's phone, a malicious user would be thwarted.
More sophisticated schemes may even feature biometric voice recognition, in which the user's voice is matched to a known voice print on record. This particular technology choice demands that the user allow the financial institution to keep a voice print on file to confirm or prove the authenticity of the end user.
The value proposition
Most of the current mass-market financial out-of-band systems rely on existing users' cellular or landline phones, as these devices are ubiquitous, in place and cost-free for financial services firms to leverage.
Deployment and enrollment can be controlled to manageable level without the need to issue hardware or certificates to customers. New users only need to provide a phone number for the SMS messages or call backs from the banks authentication server. Best of all, password resets can be automated through the out-of-band authentication system without the need for expensive customer service calls. Customer churn can present an ongoing management issue as well; the out-of-band authentication system can allow rapid deactivation without certificate or hardware recall being an issue.
Out-of-band authentication presents a viable option for financial services to toughen authentication for online services. The ease of use and relatively lower total cost of ownership, security professionals at financial institutions should evaluate the benefits of out-of-band authentication.
About the author:
George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com and Information Security magazine, he served as a Director of Security in the financial services industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad and was trained in cryptography at MIT. He can be reached at mitalum@mac.com.
