Strong authentication pays off at Advanced Payment Solutions

As financial services companies have wearied of the bothersome, and now relatively costly, task of handling cash, they have become enthusiastic supporters of the electronic economy. Advanced Payment Solutions (APS), an international pre-paid card provider, is a case in point. In September 2005, APS launched the UK’s first personalised, all-purpose, pre-paid chip-and-PIN MasterCard payment card, the cashplus.

But while money-handling businesses may appreciate the attractions of the ever-expanding e-economy, they – and their customers – still demand the familiar assurances of dealing in cold, hard cash. Recognising this, APS has rolled out a sophisticated and innovative security system, in order to give its users peace of mind.

The company primarily distributes its cards through a network of 600 retail clients, the majority of which are money service businesses such as cheque-cashing outlets and bureau exchanges. In order to facilitate both the process of issuing cards and the management of customers’ card accounts on an ongoing basis, these retailers are remotely connected to APS’s core IT infrastructure. At this point, the company’s authentication system comes into its own.

Protecting both the retailer and the card-user against online and in-store financial fraud is a critical part of APS’s service offering, explains Rich Wagner, co-founder and CEO of APS. “We want to make sure that the sales clerk at the point of sale and the retailer are the only parties that can enter information about and retrieve information for the customer. More importantly, we want to make sure that they are the only parties who are able to load money onto a customer’s account – a financial transaction that creates a huge liability if done incorrectly.”

The need for flexibility

Wagner has big plans for his company and needed a system that could scale rapidly, cope with evolving service models and allow APS to match its security controls to a range of risk profiles. With few providers able to fulfil this requirement, the company had little choice but to implement an innovative authentication system from UK security vendor TriCipher, which allows users to apply multiple authentication credentials.

Under its ‘authentication ladder’ model, TriCipher uses a multi-credential authentication methodology to match credentials to a transaction’s risk level. In the case of APS, TriCipher’s software sits between APS’s own website and its clients’ PCs. APS checks multiple credentials, including a password and special authentication tokens installed on its clients’ PCs. A third credential resides within TriCipher’s own ID Vault at its headquarters. In this model, there are two factors required to authenticate between APS and its client – the password and the PC itself – but three independent parts required in total to facilitate the transaction.

Because the PC acts as the second factor on the client-end, TriCipher is also able to perform a mutual authentication process, whereby the retailer’s PC authenticates to APS’s IT infrastructure and the latter in turn authenticates back to the retailer. This feature protects APS’s clients from phishing attacks, in which users are unknowingly diverted to a bogus site and encouraged to enter sensitive financial data. The TriCipher model also guards against so-called ‘man-in-the-middle’ attacks, an increasingly common phenomenon whereby a hacker intercepts the otherwise legitimate transactions between the user and service provider.

Blocking remote access

More importantly, in Wagner’s view, the TriCipher solution allows APS to digitally tie sales clerks to an individual PC. “So if that employee leaves and the retailer forgets to disable their login and password details, that employee, once out of the building, can’t go onto any other PC and get into the system remotely,” he explains. Failure to reset passwords that can be used remotely is one of the most common ways in which companies allow themselves to be compromised. High attrition within the retail sector makes TriCipher’s ability to protect against this phenomenon especially compelling for APS, as does the high risk of financial fraud within the money services industry.

Indeed, the unusual ability to lock down the authentication of an individual to a specific PC enables the convergence of digital and physical security in-store on an ongoing basis. This means that the identification of culprits using the TriCipher system is now a near forensic process, says Wagner.

“Money services businesses want a clear audit trail of the person servicing customers, the PC that they were on and the store that PC is in,” Wagner observes. “Most money services businesses also use CCTV. So, when an instance of fraud is detected, we can locate not only the store, but also the PC, date and time at which it occurred.”

Furthermore, if a PC is stolen, the thief in question will only gain one of three authentication credentials necessary to authenticate a fraudulent transaction.

As such, says Wagner, the system makes the business of issuing and managing cards securely “an extremely easy process for the retailer”.

Further reading

Nationwide moves to two-factor

Securing the future Central identity management systems are now a chief priority, but biometric technologies continue to disappoint

Biometric diversity Traditional biometric technologies such as fingerprint or iris recognition may not have gained universal acceptance. But alongside them are a host of innovations that use other unique human characteristics to confirm identity

Find more stories in the Security & Continuity Briefing Room

Related Topics