SMEs and home users are becoming more vulnerable with the growing threat of identity theft. Whenever the Internet is used to communicate private or confidential information, it can be captured by fraudsters or data thieves. This includes applications such as Internet banking, online shopping, e-government transactions and insurance queries.
Reports on identity theft from local Internet banking users highlights the real danger of this ‘open-neck’ traffic between some organisations and their customers. The Federal Financial Institutions Examination Council (FFIEC) issued statements in2005 on “Authentication in an Internet Banking Environment”, whereby financial institutions were advised to provide security protection to high-risk online financial transaction services with by the end of 2006. This high-level security protection needed to be similar to that of credit card verification.
McLoughlin says in the case of credit cards, there is a physical element and a pin or signature check. “Imagine that this could be extended to cover all online transactions that require some sort of verification or transmission of personal information.”
This could take the form of “multi-layer authentication” rather than just a single mechanism of a password. Multi-layer authentication would provide three main types of authentication, of which any two or more could be used. These include unique personal attributes like handwriting, fingerprints or retina scans; or digital certification by means of a swipe card, USB key or token; or a pin and a password.
“Many organisations use layered security which asks multiples of the same type of authentication e.g. password, account number, secret question. This is by far better than a single method like a password, but less robust than multi-layered authentication. Layered security also costs less to implement on a mass-market level,” he explains.
Large organisations that provide online applications understand the online risks and many have combative and rigorous security measures in place. SMEs and home users seldom share this security culture; they are often left to fend for themselves in these types of communications.
One of the solutions is to put a “face on a faceless world” by providing these users with a trusted identity by providing affordable means of identification, personal authentication and privacy in computer-based systems through cryptography such as a global protocol such as Public Key Infrastructure (PKI). This means providing some means of coding the information sent to identify the source, authenticate and authorise the contents and provide privacy against eavesdroppers when communicating private or confidential information.
PKI would allow users to encrypt and decrypt private information such as files and emails by creating digital signatures, ensuring documents can only be read by the recipients. Creating digital certificates, a kind of passport or credential that means only the user and sender can decrypt the file preventing malicious impersonation by a third party, to authorise transactions.
Ease-of-use and ability to work across multiple applications, without unduly restricting the ability of individuals or organisations, is important. If users find security measures cumbersome and time consuming, they are likely to find ways to circumvent them. However, consumers are more ready to accept a little more inconvenience.
PKI can be incorporated into a personal and uniquely identified, portable physical device, such as a USB key, to provide identification and authentication of consumers for online applications. PKI can be managed at a corporate level as part of online application delivery and customer management.
Technology has certainly improved where this can be a reality. An affordable, mass market, multi-authentication solution could improve trust and consumer confidence and help the online transactional market grow and protect not just those at most risk, but all users.
