Many banks in India use SMS OTP system for customer authentication. However, a recent incidence of a fraud in a bank showed that the SMS OTP token was not fully effective. In this incidence, hackers modified the customer’s mobile number in the bank’s database and redirected the OTP to the modified mobile number that they controlled.
Problems arising due to misdirected creativity of Black Hat hackers apart, most bank officials also privately complain about high costs of the SMS method of authentication. Banks apart, the customer also incurs monthly SMS charges.
Sometime back, in a customized Zeus MITM malware attack, a researcher showed how such customized malware could easily intercept communication between a net banking portal and a desktop.
The demo clearly demonstrated money ending up in a hacker’s account after a customer concluded a transaction. This vulnerability was exposed in a MNC bank’s Indian operation. Checking further, the researcher discovered that this particular vulnerability could be exploited in other bank's net banking systems as well.
It is widely accepted that the only real security is offered by use of a hardware token. Such a token generates time based token numbers on the customer side and net banking /e-commerce/payment wallets can undertake token verification on the server side. However, while effective, the hardware token method is accompanied by significant costs.
An elegant solution to the cost conundrum is to use the ubiquitous mobile phone as a soft token dispenser, and completely do away with the costs and hassles of using a separate hardware token.
But the soft token model is only being offered by some major MNC security technology firms and comes accompanied by MNC prices and price structure that Banks find discomforting. These vendors insist on levying a fee on the bank on a per customer basis and the sum adds up to a significant amount when a bank or an enterprise deals with many millions of customers.
One possible solution for a Bank or other enterprises is to implement a 2 factor soft token authentication program by developing their own system. They could develop a system on their own with a 6 month R&D effort. It took us, Cyber Security and Privacy Foundation (CSPF), less than 3 months R&D to develop a 2FA system which can be implemented in banks and other enterprises and institutions.
Our research suggests that it can be both practical and economical to implement net banking with soft tokens given to all customers and thus prevent a lot of frauds.
The authentication server can be placed in a bank’s premise and soft tokens can be integrated with net banking. On an indicative basis, we envisage a first year license fee US $ 50,000 for up to 100000 customers (something like half a dollar per customer for the first year).
We further envisage an annual recurring license fee of US $ 10,000 per 100000 customers to be levied Year 2 onwards. The price per customer could be reduced further to just 25 cents for a 500000 user base.
Convenience, cost, comfort and security all suggest that it is now time to look beyond the SMS OTP and the hardware token and adopt an in-sourced soft tokens 2 Factor authentication model. Banks, e-ecommerce players and wallet providers should all seriously evaluate this option.
