Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Hard Tokens and The Hard Choice For Retail Banks

Author: Steve Hope,Director of Winfrasoft
In the world of technology it is inevitable that some will succeed and some will fail, but it isn’t always the best technology that wins through. Over the years there has been many examples of this, and for those of a certain age you will recall how Betamax was consideredby many to be the better format but VHS won the battle. However, replacing a video recorder was a relatively small expense, but when a large institution, or indeed an entire sector, gambles on black and red comes up it isn’t so easy to change. This is the situation for retail banks using hard-tokens today.Steven Hope

The purest view held by many in the banking world and indeed beyond, is that hard tokens used to deliver 2FA are the most secure, as physical hardware can have protection mechanisms in place to prevent tampering. However, that isn’t representative of the real world threat. The reality is that these devices are the cause of high operational and procurement costs, and can drive away customers who are frustrated with the barriers that are put in place.After all, Internet banking for the customer is all about convenience (for the bank it is also about driving down costs).When HSBC introduced its Secure Key last year it created a backlash from customers on Facebook.

The problem with hard tokens from a customer point of view is that that they don’t want to carry them around – especially the clunky card reader types. So, when they are traveling, or just out of the house/office they end up reverting to telephone banking, or heading into a branch (the more expensive service channels). Then there is the problem of when you are away on a two week holiday and you leave your token at home, or you lose it. Then how do you do you access your bank account?
Over the years, so much has been invested by banks in the hard token deployment that it has almost gone past the point of no return -this is despite the fact that even though the further they go the more costly it continues to get – in terms of purchasing and renewing tokens. To turn back now would perhaps be perceived as an admission that the hard token system was a failure, and it would take a brave IT Director to stick their neck out and say that! Also, if you are going to make such a statement you need to be able to offer a better solution. Fortunately, there is a strong alternative beginning to emerge, driven by the proliferation of smart devices.

I am in no way suggesting that 2FA is not the right approach for banks, it is without doubt the way to go. Technically, those with no 2FA in place are less secure than those with 2FA. However, attacks such as Operation High Roller  (a sophisticated attack on 60+ banks customer accounts Internet banking which has netted the bad guys between £46 million and £1.6 billon) hit everybody equally. So, in the real world the like of Lloyds TSB (a bank that does not provide customers with hard tokens, preferring a basic 1.5FA that goes beyond username and password) are not necessarily worse off. Simply, it is a case of there being more efficient and cost effective ways of deploying2FA.

It is interesting to look overseas at new and rapidly growing banks that do not have the same fixation and heritage with hard tokens and noticing how they are balancing the need for high standards of security with customer convenience. Whilst there is interest in technologies such as biometrics, the unsurprising frontrunner is the use of soft tokens loaded on to smart devices.
These banks have looked at those organisations using hard tokens, evaluated the very expensive set up and ongoing management and maintenance costs, and quickly realised that the growth in the smart phone and mobile device market, coupled with the widespread availability of 3G/4G and wireless networks, and user adoption, provide the ideal environment from which to deliver the benefits of 2FA.
From the banks perspective soft tokens installed on a smart device via an app provide all of the benefits that hardtokenscan offer, but crucially without the associated procurement and management costs.  This newapproach (such as Winfrasoft PINgrid)works on a similar principal to hard tokens and is available for all of the major mobile platforms (iPhone, Android, Blackberry, Windows Phone and Nokia Symbian). However, rather than generating a one-time code, these tokens use an ever changing randomly generated number grid system, from which a user sets their own unique pattern and enters the corresponding numbers from the pattern when logging on to their account.

As these are soft token they are low cost and it can be distributed out to customers rapidly. In addition, improvements can be made centrally and the customer simply accepts the upgrade when notified. This ability to distribute security enhancement is vitally important as cybercriminals continue their assault on cracking 2FA systems, such as Tilon Trojan back in 2009 and more recent Man in the Browser attacks.

Customers do not need to carry a separate piece of hardware and today nobody leaves their mobile devices at home, so they always have their token available, to securely log on, regardless of where they are in the world.Another important benefit is that increasingly customers are banking using mobile devices, either via a dedicated app or browser, so the phone can become both the token and the interface.

In  my opinion the days of using hard tokens in retail banking are numbered, although there will always be those who will insist on it in the same way that some cling on to books,vinyl, CDs and DVDs.  There are also too many large players who make too much money selling card readers and key rings for it to die out too soon. However, once the momentum for alternative solutions gathers and the return on investment is published, then hard token usage will diminish rapidly.