S'pore looking to improve online security

SINGAPORE--The Monetary Authority of Singapore (MAS) is exploring ways to enhance security for online purchases, according to an industry player, who adds that dynamic authentication will be a good step toward that direction.

Ingo Noka, Visa's Asia-Pacific head of data security and enterprise risk management, explained that dynamic authentication uses passwords that are generated every 10 seconds. This helps ensure passwords, even when stolen, will no longer be valid for use in online transactions after a time limit, Noka said in an interview with ZDNet Asia.

These passwords can be generated by a token or sent via SMS to the consumer, he added. The payment structure is similar to Internet banking transactions in Singapore, where local banks support dynamic passwords as part of the two-factor authentication process.

He said Visa is prepared to support this implementation, having spent efforts building an infrastructure it calls 3-D Secure (three domain secure), also known as Verified by Visa. Noka explained that this system will enable card-issuing banks to implement their own dynamic authentication without affecting the merchant's bank authorization process.

For the merchant, supporting the infrastructure would involve installing a plugin, he said. According to Visa, the plugin facilitates the delivery of authentication requests to an access control server, which then carries out the authentication policy as defined by the issuer bank.

Chipping at card security
The MAS is also exploring ways to beef up security for credit card payments and is closely looking at moving Singapore to chip-based cards, Noka said, adding that these offer better security than magnetic strips as data on chips is more difficult to clone.

He acknowledged that the deployment of chip cards have been touted for several years, but noted that it takes time for the necessary infrastructure to be rolled out, locally and globally, so payments can be supported regardless of where the consumers use the cards.

Asked what components are essential to safeguard against credit card fraud, he replied that it would take a combination of dynamic authentication for online transactions, chip cards to combat offline fraud and the deployment of Payment Card Industry (PCI) Data Security Standard (DSS).

Governed by the PCI Security Standards Council, the PCI DSS comprises a set of guidelines aimed at enhancing data security, combating fraud and eliminating security vulnerabilities for payments made by credit and debit cards.

Noka added that merchants also play an important role in keeping credit card payments secured. "There is no point in giving customers a chip card when no merchants are installing the terminals [to support such payments]," he said.

He noted that credit card fraud related to lost or stolen cards is currently "kept very well under control" via various security policies, including what Visa calls advanced authorization. This system checks a transaction against a set of parameters, gives a score to indicate the risk of the transaction and sends that data to the card issuer.

"The issuer can take this into account. They might let that one transaction go through depending on the amount, for example, or they can call the cardholder immediately to ensure it is a legal transaction. If the cardholder says, 'That's not me', the issuer can block every subsequent transaction," said Noka.

Asked if hand-written signatures should be replaced as a form of authorization for credit card payments, Noka said some customers remain "psychologically" attached to the signature. "They want to have the feeling [of assurance] that the transaction will only be charged to their card after they have signed on it," he said, adding that as such, signatures will likely remain a component of the authorization process.