To conduct transactions over a communications network, in particular the Internet, the parties involved normally require use of a trusted or secure communications protocol together with a system for validly identifying or authenticating the parties to one another. The communications between the parties can be secured by employing various encryption technologies, such as that used in the SSL (Secure Sockets Layer) protocol, and transactions between large commercial parties or businesses can employ elaborate and permanent authentication processes, such as that used for EDI transactions. For business to consumer transactions, however, it is not normally commercially expedient, efficient or practical to employ elaborate authentication processes, particularly for transaction systems that need to communicate with a large number and wide variety of consumers.
For example, most banks have now established online banking systems that allow the customers of the banks to perform transactions with the bank and other parties over the Internet. The online banking systems include a variety of authentication systems or processes to authenticate a customer, or user, when they seek to commence a communications session, or login to the online banking system, so that transactions can be performed. The authentication system authenticates the client device that the user uses to access the banking system, and in fact validates that the user or customer is using that client device to access the system.
Many different authentication systems are employed by banking institutions. For example, some online banking systems use SSL and only require a username and password combination to be correctly submitted for authentication. Other banks require additional authentication processes. For example the National Australia Bank system, on receiving a payment request from a customer, sends an SMS (Short Message Service) message with a random alphanumeric string to a customer's cell or mobile phone. The authentication system then requires the string to be entered as a password by the customer into the client device for submission to the banking system. Both techniques are unfortunately vulnerable to compromise by an unauthorised party. Username and password combinations are readily obtained by unauthorised parties using web sites that replicate the sites of online banking systems, and are promoted by phishing techniques. Packet analysers are also employed to “sniff” packets of communications to the banking systems. The one time passwords of the SMS messages can also be obtained (as they are transmitted in a clear text form) by wirelessly monitoring messages sent from identified SMS servers or to identified mobile phone numbers.
An authentication system used by HSBC Bank Australia Ltd includes a key ring device produced by Vasco Data Security International that is provided to customers. Whenever a customer seeks to login to the HSBC online banking system, the authentication system sends a web form requesting submission of a data string. The data string required to be submitted is provided by a display of the key ring device after selecting an activation button on the device. The number provided on the display, once submitted using the web form, is validated by the authentication system to authenticate the client device of the user. The key ring device performs a random number generation process which is also performed by the HSBC online banking system. The two processes are synchronised so that the same random numbers are generated at predetermined periods of time, eg every 30 seconds, and can be compared for authentication. There are however inherent problems with this authentication system. Firstly, the random number generation sequence can be compromised or disabled if the processes lose synchronisation, such as due to a power loss. Also, the system relies upon the provision of a unique dedicated hardware device, which customers must retain. In addition to the costs associated with the dedicated device, significant problems occur if the device is lost, stolen, or loses synchronisation.
Accordingly, it is desired to address the above or at least provide a useful alternative.