It's fairly safe to say that many vendor solutions, if implemented within the specified time frame, will help banks to satisfy the FFIEC requirement that by 2006 banks authenticate their customers using something stronger than the user ID and password combination. But will compliance with the requirement actually succeed in stamping out Internet-based identity fraud? Nobody believes that for a second.
Still, there are measures that banks can use to make Internet banking more secure.
For instance, TriCipher (San Mateo, Calif.) offers a solution that improves on usual PKI (Public Key Infrastructure) implementation. With the most common PKI algorithm, each user has a "public key" and a "private key." The public key can be given to a trusted party and used to ensure the authenticity of an encrypted message. The private key, however, is held only by the sender, and is the only way that a message can be encrypted such that it will be accepted by someone with the public key.
The TriCipher solution takes this to the next level by requiring two public keys. "The two keys never come together," explains Ravi Ganesan, CEO of TriCipher and former vice-chairman of CheckFree Corp. (Atlanta). "One stays at the [TriCipher] appliance, the other at the desktop."
All this rigamarole is designed to stop certain devious methods of phishing passwords. "You can use our solution to protect a one-time password from a man-in-the-middle attack," claims Ganesan. "You send the one-time-password to our appliance instead of our Web application, through the secure channel that we create as part of the logon."
The early-stage phishing attacks merely stole passwords, so that the thieves could use them at their own leisure. The man-in-the-middle attack sits in between a user and the bank, shuttling information from one to the other such that neither side has any clue that the middleman is there. "A lot of the two-factor authentication deals were not effective against a man-in-the-middle attack," explains TriCipher advisor Rebecca Bace, an author, venture consultant and former NSA engineer.
But as a proposed solution, PKI has had a rocky history in the commercial marketplace. "I saw it die on the vine in a lot of markets because of issues with manageability," says Bace. "You had folks that were very academic about how you should do your operational security."
That's why TriCipher has aimed for a PKI deployment that doesn't look like PKI to the outside world. "A user doesn't know he has a certification in our system," explains Ganesan.
On the Net: