Evolution of Online Security Tokens
When I received my new token from DBS I thought, “This is almost as thin as my credit card”. Today my credit card can also be my security token.
The guys from NagraID have made it possible to integrate both security token and credit card into the same platform (see picture below).
Image Source: NagraID: Creating the Credit Card of the Future.
I managed to get my hands on one by Standard Chartered (which does not belong to me). It is a credit card where you have your legacy magnetic strip, credit card chip with an additional LCD screen and a keypad integrated within the card (see picture below).
Did you notice that the keypads are touch sensors and not traditional contact switches? This allows users to simply place their fingers gently over the numbers, this is to avoid pinching of the card which usually leads to accelerated wear and tear.
It has the size and thickness of a normal credit card and this is how it compares to traditional security tokens.
This innovation sure looks expensive to me. However, according to the guys at NagraID, their card allows banks to save as much as half as compared to using a separate security token. Because the banks still need distribute credit cards, cost can be saved on the packaging and postage involved in the distribution of a separate security token. In addition, NagraID states that the embedded and flexible battery cell allows usage for up to three years.
Some may wonder why this has not been implemented earlier. I believe the answer lies mainly with the depreciating cost of lithium batteries as well as advancement with the lithium battery cell. A lithium battery capable of packing a substantial amount of power (to last for 2 to 3 years) in a small volume that allows flexibility (bending it like a plastic card) is required in this design. Previous generations of batteries could not achieve such characteristics and hence was not really possible to integrate a token within a card. Finally the depreciating cost of lithium battery cells with the above mentioned characteristics justify practical and cost effective means of implementing such a solution.
Unfortunately this is not the dominant design in the security token arena. Whether this design will take over and replace current security token in the online banking industry remains uncertain. From my point of view an integrated security token means that the end user do not need to make a compromise of carrying a separate device to authenticate a transaction. The excuse for not having your security token with you will no longer be valid and there will be lesser excuses for merchants not to implement a One Time Password (OTP) authentication for their online and credit card point of sales (POS) transactions.
This could lead to a wider spread of multi factor authentication for day-to-day transactions. Higher adoption of multi factor authentication should in turn mean a significant decrease in credit card and debit card fraud.
Nonetheless, this multi-factor authentication solution only authenticates the transaction and does not authenticate the user using it. If you own a credit or debit card you would know that the cashiers hardly checks for your signature at the back of the credit card. Your spouse could potentially take your credit card you left at home for a trip around the mall and not a single cashier will suspect irregularities of the signature. I do not know if this is a flawed design by purpose (let the comments begin) but I do observe that little has been done to authenticate users.
Bruce Schneier explains more on hacking two-factor authentication (22 September 2009) here.
This technology could also be used in ATM cards as a precaution to card skimming. This is because you will need to have the Original and Physical card with you to supply an OTP before a transaction is completed. A criminal who has just skimmed your magnetic strip cannot complete a fraudulent transaction because he does not have your original card and hence cannot supply the OTP required for a complete transaction.
Should the banks operating in Singapore adopt NagraID’s credit card solution widely, customers will no longer need to carry a separate security token for online banking. However, this does not answer to the need for a single authentication device to access different secured services as envisioned in the National Authentication Framework (NAF) as part of the iN2015 masterplan by IDA Singapore. Although this does away with carrying a separate token, each card is ultimately a separate token.
In summary, the forces of change brought about by the advancement of the lithium battery, resulting in NagraID’s futuristic credit card, might solve the need to carry a separate security token. But it still does not solve the decentralised nature of authentication systems (maintained individually by each bank) and the overlapping cost invested by the banks to provide for a single user with multiple accounts across multiple banks in Singapore. Having all the different banks in Singapore to share a common authentication device or platform would be a leap forward and great achievement worth pursuing.