Use of authentication in the banking sector

Whether accessing local or wide-area networks, wired or wireless, client-server or distributed, authentication of equipment, connected objects, services, applications and people is essential. Everything to do with private access, i.e. controlling the delivery of information and the provision of resources reserved for certain entities, requires authentication.

Conventional login and password authentication procedures are no longer sufficient. On local networks as on the Internet, communications espionage is the number one attack. By spying on communications, the user ID and password sent to the server, or the access codes used during a legitimate connection, can be recovered easily and virtually undetected. Nothing could be simpler for the attacker than to log in again, replaying the same values and pretending to be an authorized user. This is identity theft.

The second type of attack involves spying on, simulating, copying or stealing the user's authentication credentials. The third involves the recovery of user authentication elements (credentials) stored on the authentication server side. The fourth is social engineering, which aims to deceive the user's vigilance by cleverly getting them to voluntarily reveal their passwords, codes or secrets, or even to guess them. Indeed, users often choose weak passwords (short, simple, classic) or passwords that correspond to them (children's first names, birthdates, name of the dog in the house, name of the favorite artist or sportsman...) in order to remember them more easily. Finally, the fifth is the so-called "brute force" attack, which consists, for example, in systematically and automatically trying out all possible passwords or encryption keys until the right ones are found. As the passwords used are often short (less than 8 characters) and simple (letters and numbers), the brute force attack is sometimes very effective.

The stakes are all the higher because these threats to individuals, businesses, organizations, government agencies and their information systems are very real. They are also fraught with consequences in the event of a successful intrusion attack. Fraudulent intrusion into an information system through lack of user control or usurpation of an authorized user's identity can have serious consequences, commensurate with the access and action rights allocated to that user.

These generalities apply in full to today's banking IT, which is the foundation of banking services accessible anywhere, anytime, thanks to the power of the Internet. Since the financial stakes have always been among the highest, authentication is not a security function to be neglected. It clearly occupies a central place in today's banking security.

The recent...