Transaction Authentication - the way forward

Over the last year I have stumbled across a number of people that all prescribe transaction authentication as a trustworthy way to solve eBanking fraud.

Both security researchers, security specialists, and banks all start telling the same thing "- Transaction Authentication is the way forward." There are a number of different notations on the theme; some calls it Transaction Verification, Transaction Signing, Transaction Authorisation.

What they all refer to is simply to make the user aware, by providing context (relevant details of the transaction), preferably the information that is of high risk, such as beneficiary. For each type of transaction, there is a corresponding risk. The essential is to reduce and mitigate risk. Not only do the user need to be informed, he also need to give his informed consent back to the bank, and preferably using a cryptographic method, generated in a secure device. This enables the bank to receive a strong proof that the customer in fact understood what he was doing, and approved to this transaction.

At govcert.nl cyber crime symposium (2009) Bruce Schneier told us that authenticating the user is being inherently flawed, what really needs to happen is transaction authentication, meaning that the user understands what he's consenting to. Details of the particular transaction must be understood and agreed by the customer.

Another statement by a security expert in the field, that I really liked was "- With the emerging threats online, two-factor authentication is customer presence during fraud, and SSL is bank present during fraud." This really reduces the issues with standard 2FA into one sentence.

Roel Schouwenberg, Senior Antivirus Researcher wrote a thoughtful article "Here's How to Fix Online Banking Fraud", describing the the background need for Transaction Authentication.

Ross Andersson and his team have over the last year published several research papers, aiming at the weaknesses in online security, and when talking about "fixing the vulnerabilities", they mention German ZKA's HHD 1.3, as a solution that mitigates most of these attacks, quoting from the paper, "...incorporates defences against a number of the attacks we discuss in the paper."

Last and most important step in this is to make it easy for the customer. This is achieved by controlling how much transaction details to show customer. This is quite tricky, because if you force the user to approve details, too often, you will teach him to skip details, as you don't want to cry wolf.