Banks are increasingly using mobile devices as an added layer of authentication for online banking, but messages sent to a phone can be intercepted. A security method developed in South Africa may close that security hole.
Some banks send text messages to phones with one-time use codes to verify a login at a new computer or to approve a risky transaction. The user then replies to the text or types the code in at a computer to verify the transaction.
Entersect Technologies Ltd., a company based in South Africa, insists that this method is not fully secure because of its reliance on text messages. To address the problem, it developed a system that uses digital certificates and push notifications to add security without sacrificing the ease of use that text messages provide. Its system was developed over two years with Nedbank group, which is also based in South Africa.
"We're co-developing with them," John Bestbier, Nedbank's group executive for strategy, said in an interview at the FinovateFall conference in New York. "We've set up our own lab, effectively, next door to them … [and] replicated our banking systems."
The initial plan was more focused on mobile than security, but "in starting with mobile, the starting point is security," Bestbier said. "What actually started off in a mobile journey for us ended up in a security journey."
The end result, Bestbier said, is "better than chip and PIN," a card security method used in many countries, and is "much more intelligent than a token," the one-time-password keychain device many banks require for high-risk transactions.
Entersect's system, which is being sold in the U.S. by Transecq LLC of Alpharetta, Ga., places a digital certificate on the user's phone upon enrollment. To authenticate future transactions, the technology looks for this certificate. The user then enters a PIN to approve or deny any transaction.
"We don't rely at all on the mobile phone's phone number" for authentication, Christiaan Brand, Entersect's chief technical officer, said. "We rely completely on the actual digital certificate that we place on the phone."
On an iPhone, push notifications resemble text messages, so the end user's experience is similar to receiving a text.
Entersect's system addresses the risk of a message being intercepted. "Listening on the air … [is] becoming more and more of a problem," particularly when someone working at the carrier is helping the scammers, Brand said.
Entersect has three bank clients in South Africa, including Nedbank, Brand said.
Although the user experience resembles the process of replying to a text message, Entersect's system has a more involved enrollment process. Users must download the certificate to their phone by installing an app provided by the bank or the vendor. They must also authenticate themselves within the app by entering a code the bank distributes through a separate channel.
"I'm worried about any tech that requires a change in user behavior," Aaron McPherson, a practice director at IDC Financial Insights in Framingham, Mass., said in an email. "This sort of thing has failed many times in the past," he said, and Entersect was unclear in its presentation about how its approach is an improvement.
Its system is "good technology," but only in small bites, Bart Narter, the senior vice president of the banking group for Celent, said in an email. "I don't think consumers will want to have dual-factor authentication at every transaction," he said, but "combined with fraud scoring, I think that this would be a very appropriate solution for many consumers."
Entersect's approach is also "likely to be much less expensive than dedicated hardware," such as a token, he said.