Author: Steve Hope,Director of Winfrasoft
In the world of technology it is inevitable that some will succeed and some will fail, but it isn’t always the best technology that wins through. Over the years there has been many examples of this, and for those of a certain age you will recall how Betamax was consideredby many to be the better format but VHS won the battle. However, replacing a video recorder was a relatively small expense, but when a large institution, or indeed an entire sector, gambles on black and red comes up it isn’t so easy to change. This is the situation for retail banks using hard-tokens today.
The purest view held by many in the banking world and indeed beyond, is that hard tokens used to deliver 2FA are the most secure, as physical hardware can have protection mechanisms in place to prevent tampering. However, that isn’t representative of the real world threat. The reality is that these devices are the cause of high operational and procurement costs, and can drive away customers who are frustrated with the barriers that are put in place.After all, Internet banking for the customer is all about convenience (for the bank it is also about driving down costs).When HSBC introduced its Secure Key last year it created a backlash from customers on Facebook.
The problem with hard tokens from a customer point of view is that that they don’t want to carry them around – especially the clunky card reader types. So, when they are traveling, or just out of the house/office they end up reverting to telephone banking, or heading into a branch (the more expensive service channels). Then there is the problem of when you are away on a two week holiday and you leave your token at home, or you lose it. Then how do you do you access your bank account?
Over the years, so much has been invested by banks in the hard token deployment that it has almost gone past the point of no return -this is despite the fact that even though the further they go the more costly it continues to get – in terms of purchasing and renewing tokens. To turn back now would perhaps be perceived as an admission that the hard token system was a failure, and it would take a brave IT Director to stick their neck out and say that! Also, if you are going to make such a statement you need to be able to offer a better solution. Fortunately, there is a strong alternative beginning to emerge, driven by the proliferation of smart devices.
I am in no way suggesting that 2FA is not the right approach for banks, it is without doubt the way to go. Technically, those with no 2FA in place are less secure than those with 2FA. However, attacks such as Operation High Roller (a sophisticated attack on 60+ banks customer accounts Internet banking which has netted the bad guys between £46 million and £1.6 billon) hit everybody equally. So, in the real world the like of Lloyds TSB (a bank that does not provide customers with hard tokens, preferring a basic 1.5FA that goes beyond username and password) are not necessarily worse off. Simply, it is a case of there being more efficient and cost effective ways of deploying2FA.
It is interesting to look overseas at new and rapidly growing banks that do not have the same fixation and heritage with hard tokens and noticing how they are balancing the need for high standards of security with customer convenience. Whilst there is interest in technologies such as biometrics, the unsurprising frontrunner is the use of soft tokens loaded on to smart devices.
These banks have looked at those organisations using hard tokens, evaluated the very expensive set up and ongoing management and maintenance costs, and quickly realised that the growth in the smart phone and mobile device market, coupled with the widespread availability of 3G/4G and wireless networks, and user adoption, provide the ideal environment from which to deliver the benefits of 2FA.
From the banks perspective soft tokens installed on a smart device via an app provide all of the benefits that hardtokenscan offer, but crucially without the associated procurement and management costs. This newapproach (such as Winfrasoft PINgrid)works on a similar principal to hard tokens and is available for all of the major mobile platforms (iPhone, Android, Blackberry, Windows Phone and Nokia Symbian). However, rather than generating a one-time code, these tokens use an ever changing randomly generated number grid system, from which a user sets their own unique pattern and enters the corresponding numbers from the pattern when logging on to their account.
As these are soft token they are low cost and it can be distributed out to customers rapidly. In addition, improvements can be made centrally and the customer simply accepts the upgrade when notified. This ability to distribute security enhancement is vitally important as cybercriminals continue their assault on cracking 2FA systems, such as Tilon Trojan back in 2009 and more recent Man in the Browser attacks.
Customers do not need to carry a separate piece of hardware and today nobody leaves their mobile devices at home, so they always have their token available, to securely log on, regardless of where they are in the world.Another important benefit is that increasingly customers are banking using mobile devices, either via a dedicated app or browser, so the phone can become both the token and the interface.
In my opinion the days of using hard tokens in retail banking are numbered, although there will always be those who will insist on it in the same way that some cling on to books,vinyl, CDs and DVDs. There are also too many large players who make too much money selling card readers and key rings for it to die out too soon. However, once the momentum for alternative solutions gathers and the return on investment is published, then hard token usage will diminish rapidly.