The day is not far for four factor authentication: Gemalto

CIOL Bureau

MUMBAI, INDIA: Atul Singh, Regional Director, India sub-continent, Banking, Transport & Telecom Solutions, Gemalto, in a free-wheeling interview with CIOL, discusses newer demands from the BFSI segment on security vendors, and the importance of four factor authentication

How is your company helping the BFSI segment in India?

We have been in India for the past 20 years. We have multiple solutions which include EMV cards—debit, credit and pre-paid, besides authentication platform and other solutions to secure banks.

Also, with the acquisition of SafeNet which is very strong in hardware security modules, has strengthened our offerings in bank-to-bank transactions.

Overall, we work with more than 400 public and private sector banks worldwide. One of the biggest public sector banks in India with presence in 20 countries is our customer. The bank’s customers access its servers secured by Gemalto solutions, across geographies.

But the concept of digital has only caught up in the past 5 years or so?

We see digital security as securing transactions between people, people and machine, and machine and machine now known as the Internet of Things. Even back in 1979 when we helped the French government replace coin payphones with smart cards we were moving towards digital security.

Online banking may have evolved in past 5-10 years, but as more people started using online banking, frauds also started increasing. The RBI has mandated advised all the banks to issue EMV-based cards.

PKI is also placing new demands?

We are doing a lot of work in the area of PKI technology (Public Key Infrastructure), which will secure all online transactions.

In PKI, there is a secure element which could be a SIM card or a banking chip card. The secure element I am talking about has memory area that has a co-processor that generates a public and private key pair on-board, and the private key never leaves the memory element.

It’s like bank lockers where the customer and the bank each has one key and the locker can only be opened with the combination of the two.

Is this enabling faster acceptance of MobileID?  

Mobile ID is an industry term coined by GSMA, is not in India, but the day is not far when the mobile IDs will be launched in the country.

Many countries are adopting mobile ID because it is convenient and it gives you the same level of security as the laptop and token. What we have done here is removed the chip from the USB dongle and replaced by a specially made SIM card in your phone. Your ordinary SIM card can be replaced with a higher-end PKI SIM card and you can start using the mobile ID from your phone. That is where you need more layers of security.

If you simply have to access a website or your bank account to know some details it could be a level one authentication using only a username and password.

But say, if you have to transfer money you need to be more secure. So you need a level two or level three authentications. Like when you receive an OTP and you enter it into the screen then this could be level two and a half. Or the bank may have given you a device to generate an OTP yourself and then enter into the screen. This is still level two. But the day is not far when you get a four factor authentication, which is the highest level of security so far. This is when the access channel is different from the authentication channel.

For example whatever online transactions you do today - accessing your email or doing e-commerce transactions, we are using the same channel for access and same channel for authentication (you have the single connection to the Web). So you are just using an IP channel to access and authenticate yourself. In today’s time this is highly prone to fraud.

A hacker sitting in any part of the world can divert what you are doing to a different IP address and won’t even know and reveal details about yourself.

But it is OTP or Pin protected, right?

Sure. But I am talking about the highest level of security in which you access through one channel and authenticate through another channel.

So just to compare, today you access your account using just your username and password. With mobile ID you will have another tab which will say login using mobile ID. This will require you to enter your mobile number which will be your user name and this will be your single username for any activity.

Mobile ID replaces the inconvenience to remember too many passwords and user names; this will have a four digit PIN (password). So all you have to do is click on an icon your phone that says login using mobile ID, then via the bank’s server it goes to the telecom operator which will push a SMS into your phone asking are you trying to access your bank’s website and when I say yes I am digitally signing my yes and it is goes back to the operator and then the operator is connected to a Gemalto platform, which is connected to the bank’s website.

So in this scenario I am accessing the website using the Internet but I am authenticating using the telecom operator’s channel. This is called out-of-band authentication. Out-of-band reduces the probability of a hack and I personally have not heard of one case where mobile ID has been hacked. The hacker will have to have control over the Internet channel, the SMS channel and he should have your PKI SIM and phone and the pin which in your head to successfully hack into your account.

So for the hacker to have all these three four elements at the same time is highly unlikely.

Has any bank implemented this yet?

A lot of them have expressed interest. We are we working with one of the largest private sector banks, and also one of the largest public sector banks where we have provided the backend authentication for the 2FA platform.

Today for accessing your bank account, the bank must have has given you an OTP token to generate OTP or you can simply get SMS OTP. This is what we install at the bank’s end.

Today the smart phone population in India has crossed 170 million and we hope 100 million will be shipped in next one year, so the smart phone population in India is increasing. People like you and me are doing a lot of transactions online - we are buying movie and train tickets, and we are doing a lot of banking transactions on our phone and we will continue doing this.

Like an e-commerce website is now only giving mobile apps because the mobile user base is increasing, there by promoting mobile based transactions. In such a scenario we have to ensure that our identities are protected.