Secured Internet Access: Capitalising on New Communication Media
by Alain Gruge, Global Head of Payments & Cash Management, Societe Generale
Although information technology tools are already part of everyday life in the banking community and cash management services, the major innovation of new communication media -such as smartphones and tablets - creates new practices and new requirements from their users. How can we meet these expectations, maintain and even reinforce security and anti-fraud mechanisms? This is one of the key challenges of e-banking.
The exponential growth of smartphones and tablets introduces users’ new behaviours like ‘Bring Your Own Device’: the use of personal devices for business needs. Current authentication procedures are tailored for physical media and perceived as complex. They have to be modified to meet the needs of these new mobile devices (smartphones and tablets), equal to speed and simplicity.
Nowadays, strong authentication required for secured access always calls for the use of a physical medium (flash drive, OTP token, card, etc.). Such tools are poorly suited for mobility model on smartphones and tablets. Consequently, the banking sector is leading various projects to simplify access to smartphones and tablets without jeopardising security. These projects are based on existing technologies combining functional simplicity and security. One of these innovations is the ‘out-of-band’ (OOB) solution. OOB is a secured software linked to the banking application, in which a password is required to authenticate or validate transactions.
- Functional simplicity: Some banking applications already authorise secured access with no physical medium (non-contact mobile payments, on-line card payments via 3DSecure, etc.). Out of band can easily be used on any internet media for all types of transactions.
- Security: The out-of-band solution integrates WYSIWYS (What You See Is What You Sign) contextual validation, which therefore becomes clear and helps to thwart cyber attacks from the browser.
Societe Generale has chosen an out-of-band solution that can be shaped for any internet media.
The client can choose between three methods:
1. Working solely on a desktop to access the bank’s website and validate the transactions. He would then have to open OOB on a separate application window.
2. Using mobile devices: OOB is directly integrated in the application.
3. The ‘cross-channel’ method, which combines the use of mobile devices and desktop. The client is notified on his smartphone for authentication after accessing the website on a desktop without OOB.
Out-of-band strong authentication with no physical medium helps to streamline processes (no equipment to distribute or replace), simplifies access modes (no physical medium to plug) and improves transactions security (WYSIWYS).
With a single authentication mechanism, clients will have access to the entire range of banking services. For instance, a client who needs to buy foreign currencies will connect to his bank’s foreign exchange portal with authentication solution ‘X’. Once the transaction is completed, he will access the cash management portal with authentication solution ‘Y’ to make his payments.
In the near future, Societe Generale would like its different portals to share the same authentication solution. This simple and time-saving solution offers an alternative to developing a ‘single sign-on’ solution to access different applications of the internet. And after tomorrow, what next? Out-of-band solutions match with existing methods and provide the advantages of a constant development, such as the integration of personal certificates for non-repudiable electronic signatures, over the years to come. Later, the possibility of integrating biometric methods will be considered, focusing on simplification, speed and more security against fraud.
Societe Generale will launch cash management applications designed for all its professional and corporate clients in Q3 2013. This out-of-band solution will also be available for desktops. An implementation phase with pilot clients will begin in Q3 2013, and the solution will be available in 2014 for all the clients.