The reading notes record thoughts from things I read. 這網誌是我的一些閱讀後的思考和摘要記錄。My website 我的網頁:

Where is my electronic token?

In this complex world, valuable information and financial data are flowing around in the Internet. Financial institutions, which are known to be the most conservative, cautious and security-conscious beings, have all converted to online money transactions. You may think that security in the public network must have reached a mature and reliable state to enable large sum of money and secret information changing hands. We learned about high level encryption, virtual private network, ultra high temperature firewall, secure sockets layer, transport layer security. However, the cat and mouse game of guarding and hacking is far from over. Cases of Internet fraud and information leaking continue to surface. Major websites, including the high security sites of governments and banks, are being frequently attacked.

To some sociologists, this is a normal phenomenon of social rule making and rule breaking. With all the laws and enforcement agencies, crimes are still being committed. One theory is that we can only keep irregularities under control to a certain extent. A cruel point is that we have to live with, hopefully, a small percentage of disorder.

Still the war wages on. Despite the sophisticated IT security measures developed, some institutions are going back to basics and employed the human factor. The US Securities and Exchange Commission advised financial institutions to introduce two-factor authentication for online transactions. One factor is the security information of an account which includes the user name and the password for you to remember. The other factor is something in possession, like a smart card or an electronic token. The second factor requires a person to carry something actual for the purpose of authentication in order to perform online transaction.

Some banks in Hong Kong have introduced electronic token as the second factor authentication. I have more than one bank account so I have more than one token. Some lucky persons may also have smart cards for authentication; and more tokens for secured access to office systems. It starts off as a novelty and a status symbol. People carry it around their neck and flash it to others as a sign of power, security and confidence.

However, the situation is getting worse. The token emerged as a piece of pendant and gradually developed to a chain of necklace. I hate wearing such ornament and they are also too bulky to be carried en masse in my pocket. So I put them in my drawer. Even in the old days, I had the bad habit of keeping my smart card in my drawer when I left the office. Anyway, the only use of the smart card is in the office for access to my LAN account. Bad guys getting hold of the smart card still do not have the first factor. But ladies and gentlemen, please get rid of this bad habit of security loophole and never let the security guys hear about it.

Now comes the problem with the tokens. Where are they? I remember that I put them in my drawer. But my drawer is quite disorganized with all sorts of stuff. It takes some effort to sieve through the pieces and locate a token. But sorry, this is not the right one. I normally check all my bank accounts twice a day; and so I have to go through such ordeals frequently.

Is there any clever person who can think of a better way? Yes, there is. It is the electronic certificate which can be encoded on a smart card. It can serve multiple purposes of authentication. It is administered by a certification authority and can be recognized worldwide. So let’s carry only one smart card with the e-cert as the second factor of authentication and roam the Internet. However, the chaotic world is not that simple. The first hurdle is the card reader which very few people have. It has to be thought of as an essential computer peripheral like the mouse before the smart card can get popular. The second hurdle is that banks are not comfortable with the security of the e-cert, and are scary of the thought that the security of their system has to rely on a third party. As a result, we have to carry the many second factors each issued by someone.

More bad news on e-cert. I just read from the news that the poor certification authority, which is the Hong Kong Post, is losing money on this business. Hong Kong e-cert may face the axe and may disappear from the world if no private enterprise wishes to take over. Come to think of it, how could a private enterprise take over money losing business? Shouldn’t the government be running such non-profit making territory-wide IT infrastructure? Come to think it again, the entire government is now using e-cert for its IT security. A private enterprise could just milk this cow by raising the price, and be rich.

But there are really very clever persons who do not believe that a second factor authentication device could do the job. An electronic token system is expensive to maintain. Many financial institutions reported that much resources have to be deployed to set up the system, distribute the tokens and, most of all, maintain customer relations in replacing damaged, lost and expired tokens. Many banks are now using another approach. They think that the information they have on a customer should be put into greater use in improving security. Such information includes the unique characteristics of customers in performing online transactions, such as the location, IP address, type of browser, time of day, and any information which reveals habits and personal traits. All these are readily available in the customer database. Should the system observe that a transaction is initiated from a different IP address, or from another country, or odd hours, or a different computer, or for an extra large amount, or anything out of the ordinary, the transaction is considered suspicious. Extra questions will then be asked, for which answers are only known to the customers, for the transaction to be allowed to proceed. It is like the first authentication factor to the power of 2 and above. Many banks consider this a better method which is more secure, flexible and easy to maintain. The artificial intelligence employed can be changed from time to time to avoid spying. Most important, it reduces the effort on the customer side while providing better security and customer service.

There is no such thing as a fool-proof system. But I would appreciate the banks would spare me the trouble of token searching.