The use of computers and mobile phones are common in today's online banking and commerce environment, where the concept of online banking and commercial transactions refers to self-service transactions conducted in proximity with a POS terminal or other terminal, or remotely via a web browser or similar.
In the field of online banking the concept comprises self-service banking conducted on any internet-enabled device, e.g. a laptop computer or a mobile device. Online banking, irrespective of type of device used, can be accessed via different channels, e.g. web browser, app or SMS.
E-commerce payment solutions are also comprised in the same field of technology, being defined as a card transaction or credit transfer made in an e-commerce context. E.g. a payment card is used to pay for goods from an online merchant.
The various solutions in online banking and payment applications offer a variety of authentication mechanisms in an attempt to increase the security of information exchange. One such is the use of a hardware token, which in short is a device such as a key fob, token, or authentication module with a known secret that is issued to a user and is identifiable by a bank. Such a hardware token will generate a onetime password (OTP) and use this combined with additional credentials to initiate a session or action at an escalated security level for the protected application. Although this is easy to use and the simpler versions without connectivity can be used for mobile applications, there are serious vulnerabilities related to e.g. password sniffers and session hijacking attacks from third party software running on the client. Other weaknesses are differences in connectivity between different devices and constraints regarding driver software.
A secure browser is an additional security measure. A secure browser may be accessible through a USB Mass Storage device. Such unit does not need to be installed on the computer, and may be working with several different Operating Systems. The security is enhanced in that it is separated from the host computer, but is likely to be vulnerable as the computer may be compromised, which in turn compromises the browser session as well. The disadvantage is that once the application is started it offers only the same security level as the installed software.
Some bank solutions rely on the issuance of static passwords to grant access to the online bank. The password can be issued by the bank, a user selected password based on e.g. social security number, or data printed on a payment card issued by the bank. This has the advantage that it is simple to use, but provides no real security layer and is very vulnerable to a man-in-the-middle attack.
Also the use of a pre-issued code sheet is frequently used by bank applications. This is used as a collective term for a printed sheet with codes that is sent to the customer to use when accessing the bank applications. Although easy to use and cheap to produce, this solution creates more abuse and confusion compared to hardware tokens and OTP generators. The security level is considered to be low, since no guarantee is provided to avoid misuse and copying of the code sheets.
In mobile terminals a software token may be adapted. This functions in the same manner as a hardware token, generating one-time passwords. The advantage is no need for extra hardware, but the downside is that it suffers the same weakness as a PC in regards to having the same security problems. Keystrokes can be monitored, software altered or sessions can be relayed to a third party.
In e-commerce payment applications, a conventional method is to enter payment card data while performing an online checkout by simply reading and typing the numbers printed on the face of the card, including card account number, expiry date and sometimes a card security code e.g. the CVV code. The merchant can use a gateway to transmit these data. Even if this is a very easy method to use, it offers little security since no additional authentication is required, and a user only needs access to the information printed on the card to approve the payment. This is referred to as Card Not Present (CNP) transactions. CNP transactions currently account for the majority of card fraud.
Other e-commerce payment applications rely on the use of stored payment card data where the user is redirected to a secure login when performing checkout. Normally a username and a password are required to continue with the transaction, and in some instances a hardware token may be required. The service provider is entrusted the keeping of the payment card information on the user's behalf. With a hardware token, the convenience is reduced drastically and faulty input very often initiates a denial of service.