SubscribeOnline fraud is a growing threat worldwide - especially in the US where Banks are reluctant to adopt new technologies.
Introducing ever more complicated PIN, username and password combinations merely antagonises the customer without deterring the fraudster.
Biometric solutions are seen to be the answer. But the traditional, user-friendly signature is dismissed as being too easy to forge. Except that a UK company - KeCrypt Systems - has just made forgery impossible.
KeCrypt - impossible to fake, fool or forge.
The KeCrypt Solution is unique in identity management in that it doesn't ever record an image or a template of the signature. So there's nothing to copy or steal. It's all done by recording the dynamic biometric components of the signature - such as its speed and pressure.
These dynamic biometrics are simply impossible for someone else to recreate, no matter how much time they might have. A KeCrypt Signature cannot be faked or forged. The verification process cannot be fooled.
As a number of major trials have already proved, this patented solution is 100% secure. *
The Unsecured State of America
The 2005 Identity Fraud Survey by the US Better Business Bureau indicated that 9.3 million American adults were victims of identity theft/fraud within the last 12 months, and that it had cost the U.S. $52.6 billion. In January, Gartner - probably the world's foremost IT research analysts - reported that almost half of internet users said that concerns about online attacks had affected their online shopping behaviour.
So in August the US Federal Financial Institutions Examination Council (FFIEC) published a guidance entitled Authentication in an Internet Banking Environment (see www.ffiec.gov/pdf/authentication_faq.pdf). Its aim is to spur US Banks into moving beyond simple password-based authentication and into providing more secure access to Web-based financial services by the end of the year.
However, Gartner estimates that while most US Banks may have improved their authentication procedures by the target date, only about 25% will have actually invested in more effective technology.
Not putting the customer first
Naturally Banks assess the benefits to them against the cost of implementing any new system. It can be cheaper to complicate the process at the customer end, and so give the impression of greater security, than invest in new technology that will actually deliver it.
So all in all it's not surprising that, as Gartner observes, 'It won't be the "gold rush" that authentication vendors are hoping for because 60 percent of U.S. banks will respond by implementing homegrown security solutions. In the end, user profiling and transaction anomaly systems, accompanied by out-of-band authentication for the riskiest transactions, will win market share, because this strategy is the most effective.'
What this ignores, however, is that customers resent any additional hurdles that Banks impose between them and accessing their own money. Worse still, customers resent banks using different systems, obliging them to remember a plethora of different procedures. And at the end of it all, many of the systems are themselves complex, tedious - and still not that effective!
Gartner ends with the ominous warning that 'thieves will continue to find ways around most stronger authentication implementations.'
Authentication - finding the genuine article
Authentication methods fall into three broad types:
- Something you know - a password, PIN, a piece of personal information...
- Something you have - a token, a swipe card, a smart card, a passport...
- Something you are (a biometric) - your voice, fingerprint, signature, a face or iris scan...
PINs and passwords are vulnerable to being forgotten, given away, observed by others, or otherwise obtained ("social engineering"). Cards can be stolen and/or forged. It's true that a combination of these methods can help against fraud. Combine either with a biometric and both usability and security are improved. This assumes, though, that the performance and capability of the biometric technology is sufficiently high.
Biometrics get thumbs up from customers. But which is best?
In May 2006 a Gartner survey of 5000 online customers found that 'using devices for authentication was the least preferred security method.' It also identified biometrics as providing the greatest degree of security - so, attractive from the customers' point of view. Unsurprisingly, they felt that they also had the highest cost of implementation - so not so attractive to the Banks.
Now that was mainly due to the biometric systems that Gartner chose to evaluate. Their choice was between fingerprint, iris and facial scanning, voice analysis and typing rhythm. Unfortunately, even under the best conditions, these are subject to false positives and can be affected by an individual's state of health, environmental conditions, hardware problems, eye colour and even their occupation. Fingerprint and eye scans have even been accepted without the presence of their owners!
The survey, however, overlooked the most obvious biometric contender - the signature! It's a method that's natural, familiar, authoritative and easy to use. They're unique to an individual, cannot be lost or damaged and can be easily up-dated when customers change their names.
But signatures have an obvious flaw. Biometric signature solutions have always depended on storing an analogue template, which makes them vulnerable to abuse.
Until now, that is.
KeCrypt, a British company, has perfected a new dynamic technology which overcomes this fundamental flaw. It is the simplest yet most robust biometric solution available.
KeCrypt on trial
To assess the viability of the KeCrypt signature verification in a working environment, a trial was carried out in the pharmacy departments of a number of London hospitals. Within a pharmacy and prescribing environment a signature is used to authorise a wide range of activities. Apart from demonstrating its effectiveness in workflow management, the trial showed that the KeCrypt biometric signature has a high level of user acceptance plus a high level of accuracy - and most importantly, all attempts at forgery were rejected.
A copy of the NHS Trial White Paper can be downloaded at www.kecrypt.com/news.php
Bank on KeCrypt
To confirm Europe's lead in this area of online security, a major UK Bank is already looking at KeCrypt Signature in workflow and online banking environments with the view to trialling next year and rolling out to customers soon after.
For a more detailed analysis of online verification systems, take a look at this News item on our KeCrypt website:
http://www.kecrypt.com/news_view.php?mode=news&opt=read&lid=35624