When you sit down to discuss the evolution of your enterprise security strategies, Australia Post is not necessarily the first organisation you would think of. But that may soon change, with AusPost’s foray into the world of online authentication.

The federal government-run company has just signed off on its business case to offer a managed service aimed at addressing other corporations’ multi-factor security needs. The project pitches one of Australia’s bastions of old-world communication squarely into the debate about ways to conduct private communications and transactions in the online universe.

A consensus of sorts has emerged across the vendor and IT end-user community regarding the security of the enterprise. In short, traditional security devices such as passwords are woefully inadequate in a climate of phishing, Trojans, keystroke logging and other forms of online fraud. The days of the pin and password opening up a world of online transactions are rapidly coming to an end as Australia follows a global trend towards multi-factor authentication.

Banking on security

In the first half of last year, the Australian Bankers Association (ABA) fed up with stories in the press about compromised accounts and phishing emails trading off their members’ good names, set up a high-level taskforce to gain consensus on the best approach to handling burgeoning fraud issues.

It emerged in June with what it described as a ‘world-first’ industry standard that called on its member organisations to increase the authentication required for online banking transactions. In a move that can be interpreted as a kick up the behind to the e-commerce community at large, the ABA encouraged the adoption and use of two-factor authentication.

This simply entails two forms of required identification in a transaction, so that if one aspect – such as the password – is compromised, access to the account is not granted. ABA’s director of tax and security, Tony Burke, says the standard was designed so that not only association members but other financial institutions could adopt it and spread the requirement industry-wide.

In the US, figures from Symantec show banks and credit-card companies have laboured under the weight of $US1.2 billion (£68.4 million) in losses resulting from phishing scams, which should help convince recalcitrant organisations that the business case for enhanced security is not necessarily difficult to draw up. The advice has not fallen on deaf ears; Bendigo Bank has already rolled out a system of key-ring sized tokens made by Vasco that create one-time passwords (OTP) to go alongside its customers’ existing log-on details. National Australia Bank revealed last year that it intends to introduce an SMS-based two-factor authentication. This was followed in December by the introduction of new security measures for the users of Commonwealth Bank of Australia’s (CBA) NetBank service, which appears to be an interim measure prior to a review of two-factor options this year.

As a result of the latest changes, NetBank customers are prompted to answer two personalised identification questions when undertaking a number of transactions, including first-time third-party payments or requesting an international money order. An expanded range of email alerts has been added to confirm when customers have changed their personal details; added, deleted or changed accounts in their account address book; and added or deleted a biller in their biller address book. CBA will investigate further changes this year. These include giving customers the option to reduce daily withdrawal limits online rather than through a branch or the NetBank helpdesk, as well as two-factor authentication, says Quentin Boyes, executive general manager, business and technology services.

“For customers, the existing security improvements are simple to use and deliver protection in the event of their accounts being subject to attempted fraudulent activity. All NetBank customers nominate personalised security questions when registering for NetBank, so they do not need any additional preparation to use these features.”

Token effort

It is this issue of convenience that is perceived as a stumbling block for organisations considering the adoption of more stringent two-factor authentication techniques. The distribution or sale of tokens, for example, leads to the added complication of customers having to ensure they have tokens with them whenever they want to use the service.

In his analysis of credit reporting agencies’ authentication practises, Gartner analyst, Avivah Litan, says US companies are reluctant to implement two-factor authentication for the mass market. They say convenience is paramount to encourage the use of online services and that security can be more cost-effectively obtained through other, less imposing processes. “Sometimes this rationale is wrong, especially when it comes to protecting highly sensitive credit-report data,” says Litan.

The data is readily available online to consumers and businesses through credit reporting agencies, data brokers and for free on a government website. This website is intended to protect consumers from identity theft but Litan suggests it may generate more fraud than it prevents as thieves obtain credit reports from the government by simply posing as legitimate consumers.

He points to a major German credit reporting agency, SCHUFA, as an example of an organisation in the field with acceptably diligent vetting of applicant credentials.

The company recently adopted two-factor authentication using Entrust’s IdentityGuard grid card. SCHUFA’s prospective users must first go to a German post office to get a token to use the service. If inconvenience is one stumbling block, then expense is just as big a hurdle.

Steven Moskwa, information security manager for Queensland’s Department of Justice and Attorney-General, is convinced two-factor is eminently preferable to single authentication from an information security perspective – as long as there is integrity in the process at all stages.

In particular, he says, the identity management component associated with the access control framework – including provision, escalation and reduction of privileges, monitoring and revocation of access – must be stringent.

Moskwa is concerned by the unwillingness of some organisations to swallow the cost. “To drive widespread user acceptance of multi-factor authentication, even in the banking sector, the cost must be met by the sponsor organisation and not the end user,” he says.

“Even the nominal $15 amount currently being charged by Bendigo Bank for its retail customers is an impediment to widespread take-up. Organisations that have embarked enthusiastically into the online world have done so for the tangible benefit of their enterprise such as growth of market share and cost savings.
“It is in the interest of those organisations to ensure the integrity of the online business transaction. The cost of providing multi-factor authentication is part of the cost of conducting business online.”

Working together

It is in the spirit of a shared commitment to adopting a suitable level of authentication as standard that Australia Post hopes to gain support across industries for its new managed online authentication service.

AusPost already has a strong connection with the banking industry through the provision of over-the-counter banking services. It also has a significant business, worth $15 million, in traditional authentication services – such as conducting identity checks on individuals wishing to open accounts.

Roger Lee, manager of identity and verification services at Australia Post, says there is considerable opportunity for revenue growth as it leverages its reputation as a trusted and neutral organisation in the community.

While the service is aimed at all sectors, banking is the initial priority.

AusPost is basing some of its planning on the assessment that Australian banks have realised there is little competitive advantage in providing two-factor authentication.

The view is that it has become a commercial reality and companies are looking for economies of scale by working with each other. AusPost wants to be the neutral party that pulls it all together. “In an online environment the particular problem that authentication plays in terms of it being a barrier to the wider uptake of e-commerce is well understood at Australia Post,” says Lee.

“We have played in the public key infrastructure (PKI) space and we know that it can be very expensive and cumbersome. The uptake was much lower than expected. So there is a need for something simpler, cheaper and less complicated – and this is where we saw the opportunity for multi-factor.”

"To drive widespread user acceptance of multi-factor authentication, even in the banking sector, the cost must be met by the sponsor organisation and not the user"

Steven Moskwa, information security manager, Queensland’s Department of Justice and Attorney-Genera

SMS Management and Technology was brought in by Australia Post to advise in the development of the offering. One of its consultants, Kasey Edwards, says there are three main requirements of the system.

The first is that it must be a shared authentication device – one that can be used for multiple organisations. Consumer research warned of customer push back if they were forced to carry around a key chain full of tokens. “An authentication device is like a physical password and current consumer behaviour is to have one password for everything, so they will expect to have one authentication device for everything as well. Consumers also expect organisations such as banks and government departments to protect them. They are seen to have a responsibility to protect consumer security.”

The next requirement is that the service must operate without AusPost knowing any customer information, with no visibility between partner organisations. This is to ensure its service is as safe and secure as any inhouse system.

Third, it must be ‘technology agnostic’ so that a partner organisation can choose for itself which type of authentication device will be issued to its customers.

Moskwa similarly advocates two-factor authentication but has reservations about a hosted solution. “Large enterprises such as banks have a vested interest in ensuring comprehensive identity management in relation to their clients and business partners. I believe they would be less than enthusiastic about moving to an outsourced shared service with respect to their clients,” says Moskwa.

“I can see merit in the provision of a multi-factor authentication shared service for those organisations which don’t have the infrastructure to support, maintain or acquire inhouse multi-factor authentication.”

Paul Smith is the editor of MIS Australia.