Authenticating online transactions

The payment ecosystem is comfortable with the authentication of a payment card holder at the time of retail transaction (about 1.5 basis points of fraud). In retail transactions, the user is authenticated by the checkout clerk, and the payment session is authenticated by the payment server. Two sets of checks using independent channels.

In online commerce, similarly, multi-factor authentication (MFA) is being used for strong authentication to achieve the same degree of authentication. The authentication factors used, include:

• What you have (the payment card) [weak as a factor unless a card reader is also involved]
  
• What you have (the cellphone / hardware token registered with your card)
  
• What you know (the PIN)
• Biometrics (who you are): This is being used by some, with the potential for increased usage)
• One-time password / Signature (yet another knowledge factor [what you know])
  

Banks are deploying hardware in a variety of form factors to enable MFA for [more] secure online commerce. There is lots of debate whether these investments are appropriate or being mis-directed.

Unconnected Chip-n-PIN readers are being endorsed by payments associations and being deployed by European banks to generate OTP (one-time passwords) for secure access to online banking sites. The simplicity of unconnected card reader devices make them secure. They are not connected, therefore are less prone to being attacked by malware. However an additional device to carry around when you travel (or otherwise) is not terribly convenient. There is still the issue of Adversary/Man-in-the-Middle (MITM) attack.

Using SMS as an alternate delivery channel is another alternative (saves cost of deploying readers and hassle of carrying readers around). Cell phones are used to communicate the OTP or Transaction Number (TAN), which the user enters at the online site. For those that don't care for cell phone and/or SMS/text messages, an IVR (interactive voice response) variant of the above is also used.

Hardware token, either the unconnected kind or the USB kind, are also used, but not in the same class of security solution as what you know (PIN) is not involved.

The emerging consensus, including observing the above alternatives, is that a hardware based solution over an alternate channel be used to generate/communicate the additional authentication factor (what you know). See related post here and here.

There are varied opinions about the usability and security profile of these offerings, including:

• Does a Chip-n-PIN reader put a user at physical risk?
• Is SMS safe enough (SMS is a non-confidential plain-text channel)?
• Are smart phones safe enough?
• Should one of the authentication factors be sent over an alternate channel. E.g., user sends the OTP or TAN over SMS to thwart MITM attacks
  

Are the current approaches to securing online transactions adequate? Are there any fundamental lacunae that we need to plug to get a solid foundation on which we can build the necessary security solution? What are your thoughts?

[10Aug09]: Interesting related post from Finextra (link)