Two major financial sector organisations are trialling intelligent-card authentication for online customers to prevent fraud.
The technology relies on a numeric display on the card tightly synchronised with a clock at the organisation’s main site and a PIN -- “something you have and something you know”, says Mark Pullen, business development manager for the New Zealand arm of US IT security specialist RSA.
However, RSA has not made a submission to the current survey of authentication technologies by the State Services Commission’s e-government unit nor talked to the unit, says Pullen. The company is too busy with its commercial customers, he says. He declines to identify the two customers.
RSA NZ will talk to the unit at some stage, but Pullen says they seem to be inclining towards digital certificate authentication.
Public fear of theft of credit card numbers is still holding back the real progress of e-commerce into the public environment, Pullen says. The fear is unreasonable, given that the electronic transaction is far safer than its manual equivalent, he says. The only way of countering it is to get successful, working applications out in the market. “Let’s talk about our successes instead of dwelling on unsubstantiated negatives.”
Authentication is the key, he says, proving that the user alone has the right to perform this transaction or access this application. Intelligent token technology, typified by RSA’s SecurID, requires the user to have the token, enter a PIN on it and then be shown a six-digit number on the card’s display. This number is the result of calculations that go on simultaneously in the card and in a computer at the organisation, so the two numbers are synchronised. Entry of the right number is proof that the person has the card and knows the PIN.
A static identifier such as a credit card number or password only assures one of these factors. A fraudulent user need not have the card to know the number.
The technology is intermediate in complexity between relatively easily compromised passwords and complex digital certificate/PKI setups, he says.
SecurID and similar technologies have been used within companies to ensure secure access to applications and virtual private networks, but it is time for it to come out into the mainstream commercial and B2C space, Pullen says.