Banks face a constant struggle to protect their online banking services and their account data from an endless wave of cybersecurity threats. According to the Data Breach Investigations Report, a widely trusted report published by Verizon, bank data was the most common type of data targeted by cybercriminals in 2013.

But banks may not realize that the solution to many of their security problems is already in their back pockets—perhaps literally.

The solution can be found in the security principles of the ATM card, which is designed to verify authorized access to bank accounts and financial transactions by combining the owner’s knowledge of a PIN with physical possession of the card.

In Europe and in other places where smart ATM cards are used, physical possession of the card also means possession of a private key stored on a microchip embedded in the card. The user confirms possession of the private key by entering the PIN, and the private key electronically signs the account access request.

This smart card technology is used widely for credit and debit card security in Europe, where it has enjoyed more than 20 years of success in protecting consumers, banks, and retailers against fraud. And, in the wake of many high-profile incidents of fraud and theft of credit and ATM card data in the U.S., American banks are finally beginning to implement and require the use of smart cards by U.S. customers and retailers.

However, based on their current online authentication methods, banks may be unaware that the same principles that are used for smart cards can be applied to provide a completely secure method for authenticating online banking access with mobile technology. The security experts at SecSign Technologies, which helped pioneer smart card technology in Europe, have combined these concepts with public key infrastructure (PKI) to develop a solution that makes it physically impossible for cybercriminals to compromise user credentials and access online banking accounts, online banking apps, and even ATM terminals.

PKI-based Authentication for Online Banking

SecSign Technologies’ technology, called SecSign ID, uses PKI-based mobile authentication, which is based on the same concept of knowledge and possession used in ATM card security, and it involves three core elements:

1. A 2048-bit encrypted private key is encoded and secured on the banking customer’s mobile device. The private key is secured by a patented SafeKey mechanism, which prevents brute force attacks, even if a customer’s mobile device is lost or stolen.
2. A 2048-bit encrypted public key is stored and secured on the SecSign Trust Center Server, which can be deployed in the cloud or by configuring and operating your own authentication server, with the same powerful security, on your own architecture.
3. Physical possession and rightful ownership of the private key is confirmed through one of several verification options, which allow the private key to digitally sign an authentication challenge that is generated by the authentication server and sent to the mobile device.

A Simple Login Eliminates the Use of Passwords and Sensitive Credentials

The login and authentication process is simple and can be completed within seconds using a simple login on a website or through a mobile application, and authenticating can be completed using the SecSign ID mobile app.

The customer logs in through the bank’s website or app, as usual, but the customer only enters a non-confidential user ID and does not enter a password. The user ID is non-confidential because there is no need to secure it. The ID cannot be used on its own to access the account or obtain any confidential information.

Once the user ID is entered, the web or app server communicates with an authentication server, which issues a challenge that must be digitally signed by the private key on the user’s mobile device. It also delivers and shows an access symbol on the login screen. The free SecSign ID mobile app is then used to digitally sign the challenge and confirm the access symbol, although the technology can also be integrated with an existing online banking app.
 

Four Options Available to Verify Identity

To confirm possession of the encrypted private key on the customer’s mobile device and allow it to digitally sign the authentication request, the customer must verify identity through knowledge and/or biometrics. SecSign ID offers four ways to do this.

1. Enter a user-defined PIN or a passcode
2. Use Apple’s Touch ID fingerprint scanner to confirm private key ownership biometrically
3. Combine a user-defined PIN or passcode with Apple’s Touch ID fingerprint. This creates a combination of knowledge and biometrics for extra security.
4. Use only the physical presence of the private key on the mobile device to verify authentication. While this option removes PIN, passcode, or Touch ID fingerprint protection for the private key, it still provides a stronger alternative to password-based logins because the private key exists only on the user’s mobile device, so only someone who possesses the device can access the user’s account.

It is important to note that none of these actions constitutes authentication on its own. Verification confirms possession and rightful ownership of the private key, which then digitally signs the authentication server’s challenge. And, to complete the final requirement for authentication, the customer taps one of four symbols shown on the mobile device that match a symbol shown on the bank’s website or app login screen. This provides the final verification of identity and allows the authentication server to grant access.

Easy Prevention of the Biggest Threats to Online Banking Security

Using this approach, banks can provide the best possible security to protect access to online banking accounts and customer data while providing multi-factor authentication that is simple and easy for customers to use. With optional verification methods, banks can be flexible in offering next-generation security that can accommodate all of their online banking customers, including those who already have access to fingerprint biometrics through Apple’s Touch ID. Customers can even choose their preferred verification method or combination of methods.

More importantly, however, the advanced cryptography of SecSign ID was designed from the ground up to eliminate password-based logins and the most common and serious cybersecurity threats that banks and their online customers face.

Passwords are no longer used, and sensitive credentials are no longer entered, transmitted, or stored via the bank’s website, mobile app, or servers.

This means that there are no sensitive credentials that can be stolen in transit, such as the case of the Heartbleed bug that targeted SSL vulnerabilities.

And there are no sensitive credentials to steal through malware, such as Trojans or keystroke loggers, or phishing schemes that trick customers into sharing their passwords through fake emails and websites.

Moreover, there are no confidential credentials stored on the authentication server or the bank’s server, so there is nothing for hackers to steal through brute force, SQL injection, or any other method of attack.

The SecSign ID authentication method also avoids the use of vulnerable SMS text transmissions for sending one-time passcodes when online banking customers sign on from a new device. SMS was never designed as a secure messaging protocol, so it is highly susceptible to hacking and other criminal attacks, including some targeting customers of Swiss banks, which are known for having some of the best security in the world.

But if criminals can gain access to a user’s phone number or mobile phone account, they can potentially configure a second SIM card or use other means to receive copies of all text transmissions sent to that number. This allows them to easily foil the SMS code-based methods of two-factor authentication that many banks are using as their highest level of account security.

In the end, SecSign ID technology is poised to revolutionize online banking by helping banks eliminate their biggest cybersecurity threats and deploy a truly secure multi-factor authentication method that delivers enhanced security with user-friendly simplicity.

To learn more about SecSign ID, visit the product pages at https://www.secsign.com/business/two-factor-authentication/ and contact SecSign Technologies to learn more about how you can integrate next-generation mobile authentication with your online banking services.