Pass The Security Please

A financial clearinghouse needed a way to make log-ons secure. How about a disappearing password?

In 1865, Chicagos largest banks founded the Chicago Clearing House Association (CCHA) to facilitate the clearing of checks between member and affiliated banks. In theory, its a fairly straightforward process. At the end of any business day, Bank A has accepted $X worth of checks drawn on accounts at Bank B, and Bank B has accepted $Y worth of Bank As checks. One bank ends up owing the other money. The amount due is sent to the creditors Federal Reserve bank account.

The CCHA clears $2.5 billion worth of checks daily among its eight member banks and more than 400 affiliated banks throughout the Midwest. Inevitably, mistakes are made and disagreements arise. Then, employees at both banks and the CCHA scurry about looking for old records, retabulating check totals, etc. Meanwhile, one bank has less money than it should—and bankers, we know, dont like to wait for their money.

Since its founding, all of the CCHAs transactions were conducted via paper documents called "cash letter adjustments." Obviously, the Internet could lend a hand here, saving tons of paper, shoe leather and time.

CCHA turned to consulting/integration specialist Rhema Associates for a Web-based settlement system, eventually dubbed EDIBANX. Creating an online check clearinghouse was not a problem for Rhema. But overcoming conservative bankers concerns about the security of Internet-based systems was a challenge.

Strong Security Was Essential "Security was vital for two reasons," says Ken Hughes, marketing manager for Vasco Data Security Inc. "First, the cash settlements method hadnt changed since the days of the pony express. Paul OToole [CCHAs VP of member relations] had to change ancient ways of behavior. Second, the CCHA has a reputation to protect, and to expand membership they had to offer solid security assurances."

Ameritech, one of the two ISPs chosen to provide redundant hosting services to EDIBANX, offered a managed security service. But that wasnt enough for the CCHA or its customers.

"One problem was static passwords," says Hughes. A static password might end up on a Post-It Note stuck to some workers terminal, or someone might forget to change the password after an employee left a bank or the CCHA.

"We wanted a non-reusable [password] that was generated for one-time use with every user session," says CCHAs OToole. A "moving target" would give crackers more of a challenge than a password that rarely or never changed. Fortunately, he already knew about Vasco and its Digipass solution.

This Lock Fits Any Door CCHAs security solution uses Vascos Digipass 300 hardware token—a device about half the size of a pager with a numeric keypad—and its companion server-side software library, the Digipass Controller.

Written in C, the Controller library enables easy integration of Digipass technology into other applications through the use of API calls. "Rhema just added Digipass Controller into EDIBANXs general user management module," says Hughes. Adding the Controller to an application "should take about half a day," he adds.

Once installed, the Digipass Controller is loaded with a set of "secrets"—binary strings that are destined to become the unique identifiers of the Digipass 300 tokens.

Before a token is sent to a user, the Controller installs a "secret" on the token. The "secret" is encrypted using DES, 3DES or Vascos proprietary encryption algorithm. The Controller keeps track of which user ID received which "secret."

Time Waits for No User When a user wants access to EDIBANX, he or she goes through the usual userid/password routine. Then EDIBANX requests a Digipass password. To get a password, the user must enter a self-chosen PIN into the Digipass token. The token generates a one-time password and displays it on the tokens LCD screen. The user then enters the password via the keyboard.

Time is the variable that generates unique passwords from the Digipass algorithm and its "secret." The Controller compares the password sent by the user to a set of passwords that could have been generated during a narrow window of time—to allow for variations between the servers clock and the Digipass tokens clock. If the submitted password is among the valid passwords in this "time window," the user is authenticated.

The Controller also maintains a cache of passwords it has received, to ensure that no password is used twice. Furthermore, each user is limited to a fixed number of unsuccessful password attempts per session, before being locked out of the system. The Controller also allows a system administrator to issue a temporary "unlock" password over the phone if a legitimate user loses his or her PIN.

The Controller can manage digital signatures, authenticating a messages origin and ensuring that the message has not been altered en route. That feature is especially handy in interbank transactions.

Since EDIBANX launched in June 2000, more than 100 banks have signed up. Users report substantial reductions in data entry, paperwork, staff time devoted to research and report preparation, and communication costs for fax, phone calls and postage.

Partnering With Vasco Vasco partners with independent software developers, systems integrators and security specialists. It sells direct to banks but relies on partners in other markets, such as extranets, VPNs, B2B exchanges ASPs and so forth.

"Basically, we fit into any application where money moves," says Hughes. In most partnerships, Digipass does the selling of its solution while the partner does the work of integrating Vasco products into his own application. Vasco also provides end-user training and supplies additional Digipass tokens to customers.

Vasco makes several Digipass hardware devices for remote-access and physical-access control applications. The company has even branched into software, recently introducing a PC-based software version of the Digipass token.

SnareWorks is Vascos enterprise security and applications access manage-ment suite that provides single sign-on, self-registration of authenticated users, and centralized policy and permissions management.

Demand for strong authentication is booming, as indicated by Vascos 42 percent revenue leap in the last quarter of 2000.

The companys solutions are easily integrated into existing and new applications. They provide strong technical and perceived security comfort, and an ongoing revenue stream from additional user tokens. This is definitely a partnership worth exploring.