My friend and colleague Jurgen Pabel was one of our first graduates from the Norwich University Master of Science in Information Assurance. He is an active participant in our alumni discussion group and a frequent and welcome correspondent. Here, I present his latest suggestions (entirely his with minor edits and additions).

* * *

Bank of America's SafePass program described in the Jan. 3 issue of this newsletter prompted the following proposition.

Just a few years ago every credit-card transaction was authenticated by two factors: the actual credit card (possession) and either the correct PIN or a valid signature (knowledge / capability). The Internet broke this security scheme in that it was no longer possible to verify the possession of the actual credit card.

Banks responded by adding the credit-card verification (CCV) numbers on the back of the cards, but if the card is stolen that doesn’t help stop fraud either.

Adding a second factor to the login process for online banking portals is a good measure to reduce the risks of unauthorized access through compromised credentials. The SafePass program introduces the customer's mobile phone as a second factor for authentication to Bank of America's online banking portal.

However, millions of credit-card users still depend solely on the secrecy of their credit-card information to guard them against online credit-card fraud. A new universal second factor would be useful, even though in most cases customers are liable only up to a certain amount in case of provable fraud; someone's got to pay the bill, and it isn’t the banks: it’s people who pay finance charges on late credit-card payments.

The problem with incorporating a second factor in online credit-card transaction processing is the backend process. Changing the data formats would require millions of vendors to adapt the new process - so expensive that it’s unlikely to be implemented. An interesting idea to overcome this massive redesign problem would be to include authenticating information for the transaction in the credit-card owner's name field.

Any bank issuing credit cards would be able to extend its transaction-authorizing process either to require the physical card to be present (swiped) or to require a one-time code to be included in owner's name field. These changes would not require any modifications outside of the issuing bank's infrastructure. The authenticating information might be transmitted via text-message to the customers mobile phone number - transforming the mobile phone into the second factor as in the SafePass program.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.