New Card Introduced for Financial Institution Authentication Use
â€œWhat weâ€™re seeing with the growing press coverage and awareness of identity theft, consumers are beginning to ask their financial institutions, or their health care, or any other site or business that holds the consumerâ€™s sensitive data, what is being done to protect that information?â€ said Fran Rosch, Vice President of authentication solutions at VeriSign, Inc.
The card is being tested at several international banks, including a bank in Korea, Meritz Securities. According to John A. Ward III, Chairman and CEO of Innovative Card Technologies, the Korean banking industry is a good start for the card. Korean regulators have taken a very strong stand on authentication for online banking, and theyâ€™re even more stringent than the banking regulators in the U.S. â€œThe Korean equivalent of the FFIEC is much more stringent, and the Korean online banking segment has a higher percentage of users compared to the 63 million online banking customers in the U.S., Korea has 33 million online banking customers,â€ Ward said.
Ward said two major markets the card will be ideal for are in the enterprise management sector, for companies that have secure networks, and the financial services industry, including banks, credit unions and brokerage firms.
â€œBanks and other companies have wrestled with this need for stronger authentication. Because of the challenges presented by consumers didnâ€™t want just a device for security only, like a token, they were looking for something that was embedded in something they use, that they carry already, such as a credit card or a mobile phone,â€ Rosch noted, adding, â€œAs this card takes off, I think weâ€™ll see a proliferation of this extra level of security for the consumer end. Itâ€™s easier to deliver one card with everything on it instead of carrying something else to validate your sign in.â€
â€œMost people donâ€™t embrace a token or key fob. Theyâ€™re clumsy and people leave them at the office or misplace them,â€ Ward said. While there are an estimated 45 million token passcode generators being used in companies, the use and acceptance of tokens isnâ€™t as easily transferred to consumer use.
The other market segment targeted is online private banking, small business, middle market and securities trading. â€œBecause these areas have sizeable transactions anywhere from a couple hundred to several thousand dollar transactions, the need for security is greater,â€ Ward noted. And the initial cost of the new card, $12, would not be a turnoff. â€œThe account profitability is such that a $12 fee, or even a minimal charge of $1 or $2 per account, or even they gave you a card, is negligible compared to the profit they make off of these market segments,â€ he explained. Compared to the average cost to make a credit card (35 cents), Ward noted in the short term, â€œThe cost is high, but will go down over time, when the product matures. However, this card could be viewed as a companion card; it could be an ATM card, or a debit or credit card.â€
When Ward showed a prototype of the card to a group of investment bankers, (who are known not to be easily impressed), â€œTheir reaction was â€˜Wow.â€™ They could not believe that you could get a two factor authentication in the form and size of a credit card. They were shocked,â€ Ward said.
The other element of this solution that makes it attractive is VeriSignâ€™s network, where a consumer could, eventually with one credential, sign in with that one card and access a broad set of websites, Rosch explained.
â€œIf your bank or credit union issued you a card with one of these one time passwords embedded into it, you could not only do transactions with your bank or credit union, but also shop and do business at e-Bay or Pay Pal and also protect your accounts there, or any other company that is a member of VeriSignâ€™s Identity Protection (VIP) network,â€ Rosch said. While the international banks VeriSign has talked with are cautious about revealing their plans, Rosch said there has been a lot of interest in the U.S. market.
In 2006 many large companies looked at solutions for customers, and they piloted token solutions, â€œe-Bay, Pay Pal, e-Trade, and others came out with some type of token solution, and theyâ€™re increasing it into the wider market,â€ Rosch said, and added, â€œIn 2007 I think weâ€™ll see a lot of firms piloting this card, and in 2008, we will see mass distribution of it.â€
The lifetime of the card is expected to be the three-year life of the battery (which incidentally is the same lifetime as most regular credit cards.) The size of the card is the same as a regular ATM or credit card, but the card has an ultra-thin battery inside that will generate the six digit code when a button is pressed on the front of the card.
The cards would also help consumers protect personal and account information and would enable the financial institution to double check the userâ€™s identity. If a keylogger was on the computer being used for the online transaction, the account user name, static password and then the randomly generated number would be of no use to a hacker, as any future transactions on the account would require a new generated passcode that the hacker would not be able to get. The only way the account could be compromised would be if the card was physically stolen and the thief had the user name, static password, and the card.
It's the benefit of two-factor authentication, plus it doesnâ€™t include the token factor, Ward noted. The cards, according to VeriSign, have been certified through Visa and MasterCard, so any bank with a relationship with them can buy into these cards and pass them out to users. Ward concluded, â€œMulti factor authentication is great, but you also want your customer to be comfortable with it. They already use credit cards, and you as a bank donâ€™t want to have to issue another piece for the customer to be required to use.â€