About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« SEPA update | Main | Be there or be square: the 11th annual Digital Money Forum »

3D Secure, give it your best shot

By Dave Birch posted Feb 8 2008 at 1:08 PM

[Dave Birch] How pathetic is it that when I want to buy something on the Internet using my bank card I have do mess around typing in endless details, numbers, codes, passwords and the like. It's all so 1994. In an a modern economy, that sort of thing is seen as being on a par with Babylonian clay tablets or filling out paper forms to make a SEPA Credit Transfer. But in advanced countries, there is another way:

According to Sony Japan, the company has just sold its five millionth USB RFID dongle for home computers... the USB gadgets can be used in multiple ways. The most common involves swiping an IC-chipped phone or credit card to pay for purchases made online. The advantage lies in encryption applied to the card number before it is transmitted - a valuable safety net in these days of endless data breaches.

Other uses for the technology - terminals are already built into all Japanese Sony Vaios, by the way - include encrypting files on the PC, authenticating users for access to secure parts of a network and even acting as a screensaver lock. The most prosaic FeliCa application is, however, considerably more useful than any of those. Instead of using a ticket machine in a train station, travellers with IC passes can add cash to or renew their validity from the comfort of their desk using the PaSoRi, something we can expect to see in the West soon.

[From Personal RFID terminals go big in Japan | News | TechRadar.com]

So when you want to buy something online with your DoCoMo phone, you just touch the phone to your dongle. That's it. Since I have a brand-spanking new Barclaycard with Visa PayWave on board, what's the barrier to a dongle to go with it? I've got my calculator-thingy from Barclays, and that works really well for using my bank account, but it doesn't help me with payments at all. There are millions of these things being issued in the U.K...

Nationwide Building Society has contracted with French vendor Xiring for the provision of over one million handheld authentication devices which it will begin rolling out to its online retail banking customers this spring.

[From Finextra: Nationwide to dish out Xiring smart card readers]

You'd think we'd at least be able to use them in 3D Secure, if nowhere else. I hate to be a big whinger, but isn't this just another example of the silo mentality at work, where the guys in charge of home banking are nothing to do with the payment guys.

Both MasterCard and Visa have programmes to use the handheld readers for 2FA in 3D Secure transactions (the CAP and DPA programmes) but as far as I know none of my bank issuers offer them as services. Perhaps it's too late now? The natural way forward would seem, to me, to integrate the mobile phone into the transaction loop rather than require special-purpose hardware. In the not-too-distant future I will have a phone that can interface to my Barclays OnePulse card, so I won't need another dongle. Since the CAP and DFA implementations depend on the cryptography in the secure chip on the EMV card and do not need any security in the device, it should be easy to implement the software in the mobile handset.

Except that you're not supposed to enter PINs into a mobile phone keypad because it's not seen as being a secure PED (PIN entry device). However, since Monetise have managed to persuade VocaLink to let them enter ATM PINs into the phone (hence the Monilink joint venture), so there ought to be a way of making this all work for payment transactions as well.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Comments

One point about the DoCoMo scheme...

Usually FIs want to do a two-factor authentication, preferable one 'something-only-i-know' and another 'something-only-i-have', which presumably provides a reasonable (!) degree of security.

But the DoCoMo scheme only has one 'something-only-i-have' which increases the risk of fraud, presumably offset by the lower value-at-risk associated with low-value purchases.

But you're right, the mobile phone/ device is the right/ logical place that the 'something-only-i-have' part of any authentication scheme should sit in.. There are only so many dongles and SecureId cards one can carry.

About your wish to have a single authentication point, I guess that needs to be examined in the light of the fact that in some places you currently need multiple credentials even to talk to your bank, one online banking password, another ATM PIN and presumably a third phone-banking id

Dave, I feel that I have to defend the banks here - until 2008 I worked for a major UK bank about to deploy 2FA that will address both internet banking and VbV. The key to this integration is that we had not yet deployed VbV - so could build a complete solution rather than try and bolt on 2FA to a VbV solution already in place. From what I understand a number of banks were trying to get to market fast to address specific needs in the banking space - and not able to deliver the VbV solution in time.
Also, monetise do not use the ATM PIN - they have their own security code (could be the same number..) to access the service, but the security guys in the banks would not let them use the online PIN.

The comments to this entry are closed.