By Turner, Richard
Journal of Banking and Financial Services , Vol. 117, No. 3
For centuries, financial services organisations have provided trusted environments for individuals and companies to conduct business. In recent times the Internet has presented financial service companies significant opportunities in terms of reduced costs, new markets and enhanced customer service.
The Internet also presents considerable challenges in terms of increased competition, transforming traditional business models into e-operations and ensuring the security and privacy of customer data and online transactions.
The security issue represents the greatest barrier to e-finance success. However there are also new solutions that will enable financial organisations to overcome the customer reluctance which has stymied growth of this channel.
The main web-based initiatives that financial services organisations have adopted are online banking for both business and retail customers, business-to-business applications such as funds transfers and corporate purchasing; and extranet enterprise initiatives for internal or partner use.
The security issues relating to all these are very similar, but their significance grows as the value or complexity of the transaction increases. Fundamentally, there has to be exactly the same trust and certainty in e-finance as there has always been in the traditional model.
In other words, you must know that individuals are who they say they are (authentication), that they have the right to conduct transactions (authorisation) and that those transactions cannot then be intercepted and altered (integrity, confidentiality, encryption) or denied by either party (non-repudiation).
Authentication and authorisation
The uptake of online banking has not been as high as originally forecast, with extremely low customer confidence stated as the main reason. Not surprisingly, banks are looking for ways to demonstrate that the web is a secure place to bank.
The first task is to verify the identities of all participants in a transaction. The two key issues here are authentication (who you are dealing with) and authorisation (what level and type of transactions that individual is allowed to conduct).
In terms of business to consumer banking, smart cards have been raised as a promising solution to the authentication problem. However, there are hardware issues because most PC manufacturers still have not built smart card readers into their machines. In addition smart card industry standards have yet to be finalised, posing compatibility problems.
The conventional authentication approach--relying on a simple user-ID and password approach--is highly problematic. While everyone is used to keying in a PIN at the ATM, there is now widespread recognition of the profound weaknesses of multiple-use passwords.
Users tend to opt for easily guessed passwords such as their birth date, or else write the password down and even share passwords. Recently a spate of ATM fraud was carried out by gangs who fooled the victims into believing their card had been "swallowed" by inserting a plastic slip into the card hole. The victims' PINS were obtained by physically observing the number being keyed in.
One alternative for the online world is to use digital certificates, whereby digital credentials or "security passports" are stored on a particular web browser, WAP phone or personal digital assistant such as a palm device. But this is also problematic. Firstly, access to the digital certificate is usually not restricted. This means that if someone gets hold of the device where the certificate is stored, they could access all the online services the owner is authorised to use.
Secondly, digital certificates tie their owner to the PC or device where the certificate is stored. This lack of mobility makes digital certificates less attractive.
The third principal way to authenticate users is to use biometrics, which covers techniques such as fingerprint and retina scanning. …