Nedbank is being reported in the US as having acquired Stellenbosch-based Entersect Technologies' two-factor authentication for online banking.
The publication American Banker interviewed Nedbank and reports: “Banks are increasingly using mobile devices as an added layer of security, but messages sent to a phone can be intercepted. A security method developed in South Africa may close that security hole.
“Some banks send text messages to phones with one-time use codes to verify a login at a new computer or to approve a risky transaction. The user then replies to the text or types the code in at a computer to verify the transaction. Entersect insists that this method is not fully secure because of its current implementation, which relies on text messaging and is not truly out of band.”
Being out of band means the text message cannot be intercepted by a third party.
“To address the problem, it developed a system that uses digital certificates and push notifications to add security without sacrificing the ease of use that text messages provide.”
"We're co-developing with them," John Bestbier, Nedbank's group executive for strategy said in an interview at the FinovateFall Conference, in New York, where Entersect was showcasing its groundbreaking ITA (Interactive Transaction Authentication) system technology.
“The initial plan was more focused on mobile than security, but in starting with mobile, the starting point is security," Bestbier said. "What actually started off in a mobile journey for us ended up in a security journey.”
The end result, Bestbier said, is “better than chip and PIN” a card security method used in many countries, and is “much more intelligent than a token”, the one-time-password keychain device many banks require for high-risk transactions.”
Entersect offers an enterprise security platform which integrates with existing technology and allows the organisation to easily develop and deploy new applications such as secure mobile banking. Entersect ITA allows users to authenticate their transactions, thereby eliminating “man in the middle” and phishing attacks and ensuring non-repudiation for institutions.
Entersect's system, which is being sold in the US by Transecq of Alpharetta, Georgia, places a digital certificate on the user's phone on enrolment. To authenticate future transactions, the technology looks for this certificate. The user then may enter a PIN to approve or deny any transaction.
"We don't rely at all on the mobile phone's phone number for authentication,” Christiaan Brand, Entersect's chief technical officer, said. "We rely completely on the actual digital certificate that we place on the phone.
Entersect's system addresses the risk of a message being intercepted by using end-to-end encryption. "Listening on the air ... [is] becoming more and more of a problem," particularly when someone working at the carrier is helping the scammers, Brand said.
Entersect has three bank clients in South Africa, including Nedbank, Brand said.
“A number of companies have attempted two-factor authentication, and made good progress without necessarily being able to commercialise their offering,” says Schalk Nolte, MD of Entersect. “We are pleased to have cracked the commercial code and been recognised in the US. We expect to reach the tipping point with this technology solution in months to come.”
Share