Online Banking Review
Stephen writes a regular column on net banking security and technology for this award-winning magazine.
Lockstep gratefully acknowledges the permission of Online Banking Review to reproduce my past columns here. For further details on this comprehensive regular review of all aspects of online banking, see http://www.onlinebankingreview.com.au.
See also a few recent columns online: a fresh look at how to properly tackle card-not-present fraud and some rather more philosophical musings about identity.
 | OBR Lockstep 2004/02 Biometric cautions | [download, 171Kb] |
| How often is a serious new technology introduced with the aid of a Tom Cruise film clip? Welcome to biometrics, the glamorous end of the security market, where 'Minority Report' has almost achieved case study status. But beneath the hype are some more pragmatic issues for the application of biometrics in day-to-day banking. | ||
| OBR Lockstep 2004/04 Privacy and IT | [download, 154Kb] |
| Research is starting to show that few IT departments have come to grips with the full meaning of privacy regulations. Most IT managers fail to appreciate the potential ramifications of privacy, for database design, architecture, web design processes and audit. | ||
| OBR Lockstep 2004/06 Id Theft IS a techno issue | [download, 169Kb] |
| It's time to move beyond the bumper sticker slogan that 'security is not a technology issue'. In the war on identity theft, education, legal and regulatory weapons have reached their limit. | ||
| OBR Lockstep 2004/10 Smartcard comparison | [download, 168Kb] |
| A brief overview of authentication technologies, comparing and contrasting all major options, and showing that smartcards offer unique protection against website fraud. | ||
| OBR Lockstep 2004/12 Chip and PIN | [download, 162Kb] |
| The UK has implemented a large-scale rollout of smartcards. The unit cost of smartcards is falling rapidly as hundreds of millions of cards roll off production lines. Built-in smartcard readers in laptops and other PCs will help the new technology gather pace. | ||
| OBR Lockstep 2005/02 Second class citizens | [download, 258Kb] |
| An unfortunate side-effect of user-pays security could be the creation of two classes of Internet banking customer. This column charts the meteoric rise of two factor authentication but urges caution in light of the weaknesses of most solutions available today. | ||
| OBR Lockstep 2005/04 Understanding Man-In-The-Middle | [download, 283Kb] |
| Two-factor authentication could soon be obsolete thanks to a new generation of security attacks | ||
| OBR Lockstep 2005/06 The Chips are Falling into Place | [download, 468Kb] |
| Credit card skimming and competitive pressures are the two mainfactors forcing Asian banks to adopt EMV-compliant smartcards | ||
| OBR Lockstep 2005/08 Security and Privacy | [download, 409Kb] |
| Work needs to be done on bridging the worrying knowledge gap between most privacy and technology specialists | ||
| OBR Lockstep 2005/10 Online Fix to Identity Crisis | [download, 417Kb] |
| Electronic identity verification is just around the corner, but are Australian financial institutions ready for the technical challenges it poses? Banks relying on purely electronic proof of identity will need to know the data isn't stolen, while customers planning to submit identity data to institutions online will need to know the websites are not fake. Strong mutual authentication is the key to fully electronic verification. | ||
 | OBR Lockstep 2005/12 Federated ID | [download, 330Kb] |
| One of the more prevalent topics in e-business and security circles is 'federation'. Yet a clear head is needed when evaluating federated identity. Buzzwords are flying around, and some applications of this new technology may complicate the way banks deal with their customers. | ||
| OBR Lockstep 2006/02 Biometrics | [download, 368Kb] |
| Biometrics appear profoundly simple in operation, but the associated science, engineering and product design are still in their infancy. It is tempting to think that using an ATM of the near future will be as simple as staring into a camera lens to activate one's account, but if we take a close look at this technology, it's not as simple as it first appears. | ||
| OBR Lockstep 2006/04 PKI on the cards | [download, 346Kb] |
| The unique value of PKI in securing paperless transactions is now widely acknowledged. The early rosy vision of a single, all-purpose identity infrastructure has given way to a more sophisticated landscape of multiple PKIs, used not for identity per se, but rather for more complex relationships, affiliations, credentials and so on. In this issue, we are going to show how PKI implemented with smartcards is emerging as a critical infrastructure. | ||
| OBR Lockstep 2006/06 Authentication shakeout | [download, 240Kb] |
| It may seem politically incorrect, but it's worth asking, do consumers really need a choice of security technologies? Consumers can choose between banks and between banking products, but they are not offered options when it comes to the design of vaults or ATM networks or plastic cards. The time is right for the banking industry to take the lead and standardise authentication. | ||
| OBR Lockstep 2006/08 Spreading cost of smartcards | [download, 283Kb] |
| If banks can take an all-of-business approach to smartcards 'engaging their Internet banking, privacy, compliance and security functions with the cards groups ' then they will see a stronger ROI. | ||
| OBR Lockstep 2006/10 Smartcards and privacy | [download, 278Kb] |
| If we take a shared infrastructure view of smartcards, then a number of critical projects could usefully be merged. For example, impending health and welfare smartcards and smart drivers licenses could be made available as secure carriers for other agencies' identifiers, enabling true anonymity of government service delivery. | ||
| OBR Lockstep 2006/12 Banking on the Access Card | [download, 293Kb] |
| The Federal government’s Access Card is really taking shape. Major tenders are expected within weeks for the provision of over 16 million smartcards, associated new enrolment services, kiosks, and backend systems. And greater clarity is emerging around the government’s vision, through several recent keynote speeches by Human Services Minister Joe Hockey. | ||
| OBR Lockstep 2007/02 Access all areas | [download, 253Kb] |
| The rapid development of a new Health & Welfare Access Card has continued to accelerate through the new year period. As discussed in recent editions of Online Banking Review, this federally funded program of the Department of Human Services promises to issue in excess of 16 million multi-function smartcards starting in 2008. Major tenders have been called for the issuance and management of the cards, and for the systems integration of complex backend systems. And an exposure draft of the associated Access Card legislation was released in December for public comment. | ||
| OBR Lockstep 2007/04 Layer upon layer | [download, 251Kb] |
| This week we’ll look at the multi-layered security of card systems, and see that smartcard platforms offer so many more options for staying ahead in the cyber-crime arms race, by virtue of their intelligence and programmability. | ||
| OBR Lockstep 2007/06 Smartcard ROI | [download, 256Kb] |
| Barclays in the UK has announced it will deploy half a million special purpose smartcard readers, with which their EMV cards will be transformed into personal security tokens for Internet banking. This is an important development, showing how institutions can improve their smartcard ROI and create useful upgrade paths along which their customers’ experience can steadily improve. It is one of the first strong signs of convergence of banking products onto a uniform, user-friendly electronic key. | ||
| OBR Lockstep 2007/08 Smarter than your average card | [download, 260Kb] |
| Awareness of the limitations of conventional two factor authentication continues to build. ABN Amro’s time-based One Time Password (OTP) tokens are the latest in a long line to be attacked. Moreover, other industry analysts are voicing the same general conclusions that I’ve discussed previously in Online Banking Review, that to combat Man-in-the-Middle attack will take an active authentication technology, like smartcards. | ||
| OBR Lockstep 2007/10 Momentum for mobile | [download, 225Kb] |
| At the Banktech conference in July, Westpac CIO for Consumer Financial Services, Patrick Eltridge, confirmed the bank envisages Wireless PKI as a “game changing technology”. WPKI looks like being central to the rapid expansion of mobile banking into full blown financial services. So is WPKI just another spin on this controversial technology? Or will it reinvigorate PKI to deliver its full potential after all? | ||
| OBR Lockstep 2007/12 My Myself I | [download, 276Kb] |
| We may be in the midst of a true paradigm shift, to a new worldview based on a plurality of identities. I suggest we’ve been saddled for years with the tacit assumption that deep down we each have one ‘true’ identity, and that the way to resolve rights and responsibilities is to render that identity as unique. This “singular identity” paradigm has had an unhelpful influence on smartcards, PKI, biometrics, and federated identity management. | ||
| OBR Lockstep 2008/02 SMS on borrowed time | [download, 232Kb] |
| SMS was not designed to act as a second authentication factor, and it raises some serious issues. There is no guarantee in the SMS standard that any message will ever arrive. When a banking confirmation code is lost, the inconvenience could be substantial. Moreover, help desks will have to find new ways to authenticate upset customers without creating security gaps. Above all, customers will need to read each SMS carefully, but we know that a substantial segment of the market is vulnerable to phishing simply because they don’t pay adequate attention. SMS authentication is probably going to leave this segment vulnerable to frauds that exploit their credulity or naivety. | ||
| OBR Lockstep 2008/06 Speaking of bank details | [download, 241Kb] |
| Voice authentication is one of the more interesting biometrics and probably the only technique in the class that so far makes sense for retail banking. Occasionally we hear of iris, fingerprint or face recognition being proposed for ATMs but they remain too problematic ... | ||