PCI compliance will reduce accidental breaches and fend off amateur attacks. But PCI can do little to thwart inside jobs, nor organised crime. The rewards to be gained from credit card fraud are so now enormous that no amount of security policy or conformance audit can defeat cyber criminals. So the PCI security regime was always going to be a losing battle: an expensive endless loop of collecting ever more personal data to verify identity, and then needing to safeguard it all against theft. It's like putting out fire with gasoline.

Almost all biometric testing is based on the "Zero Effort Impostor" assumption, and looks only at accidental false matches. That is, the testing assumes that no impostor has made a special effort to fool the system. The FBI warns that lab results do not reflect resistance to deliberate attack. In other words, the stated performance specifications of biometrics solutions don’t tell us how they stand up to criminal attack.

The 23rd annual Cartes smartcard exhibit and conference was held over November 4th to 6th at the vast Paris-Norde Villpinte exhibition centre. It was quite a party atmosphere - and I don't just mean the French exhibitors' fondness for a bottle of red at lunchtime! Even in the midst of an economic implosion that might have put a dampener on proceedings, I found the event to be an exuberant celebration of smart technologies.

The advent of virtual currencies has been little more than a curiosity in the minds of many. But recently European security experts reported that the real money trade in virtual objects - that is, make-believe stuff owned by make-believe characters - is well in excess of US$2Billion p.a. So now at least two of the leading online gaming sites offer two factor authentication.

Lockstep has developed a new way to present credit card numbers online, leveraging EMV cards. By simply taking proper care to safeguard credit card numbers and enable merchants to verify that numbers presented online are genuine, we can restore full confidence in CNP transactions. Smartcards are now well known in the POS setting; it is high time we turned to them as the best available weapon against CNP fraud and ID theft in general.

If one thinks about online security for a minute, all sorts of parallels emerge with other fields. A favourite comparison of mine is with road safety. Like road safety, effective online security must involve a blend of user education, standards, processes, and technological innovation. In my view, online safety is poorly served by an obsession with user education.

Voice authentication is one of the more interesting biometrics and probably the only technique in the class that so far makes sense for retail banking. Occasionally we hear of iris, fingerprint or face recognition being proposed for ATMs but they remain too problematic ...

SMS was not designed to act as a second authentication factor, and it raises some serious issues. There is no guarantee in the SMS standard that any message will ever arrive. When a banking confirmation code is lost, the inconvenience could be substantial. Moreover, help desks will have to find new ways to authenticate upset customers without creating security gaps. Above all, customers will need to read each SMS carefully, but we know that a substantial segment of the market is vulnerable to phishing simply because they don't pay adequate attention. SMS authentication is probably going to leave this segment vulnerable to frauds that exploit their credulity or naivety.

We may be in the midst of a true paradigm shift, to a new worldview based on a plurality of identities. I suggest we've been saddled for years with the tacit assumption that deep down we each have one 'true' identity, and that the way to resolve rights and responsibilities is to render that identity as unique. This "singular identity" paradigm has had an unhelpful influence on smartcards, PKI, biometrics, and federated identity management.

The Federal government's Access Card is really taking shape. Major tenders are expected within weeks for the provision of over 16 million smartcards, associated new enrolment services, kiosks, and backend systems. And greater clarity is emerging around the government’s vision, through several recent keynote speeches by Human Services Minister Joe Hockey.

Awareness of the limitations of conventional two factor authentication continues to build. ABN Amro’s time-based One Time Password (OTP) tokens are the latest in a long line to be attacked. Moreover, other industry analysts are voicing the same general conclusions that I’ve discussed previously in Online Banking Review, that to combat Man-in-the-Middle attack will take an active authentication technology, like smartcards.

At the Banktech conference in July, Westpac CIO for Consumer Financial Services, Patrick Eltridge, confirmed the bank envisages Wireless PKI as a “game changing technology”. WPKI looks like being central to the rapid expansion of mobile banking into full blown financial services. So is WPKI just another spin on this controversial technology? Or will it reinvigorate PKI to deliver its full potential after all?

The rapid development of a new Health & Welfare Access Card has continued to accelerate through the new year period. As discussed in recent editions of Online Banking Review, this federally funded program of the Department of Human Services promises to issue in excess of 16 million multi-function smartcards starting in 2008. Major tenders have been called for the issuance and management of the cards, and for the systems integration of complex backend systems. And an exposure draft of the associated Access Card legislation was released in December for public comment.

This week we’ll look at the multi-layered security of card systems, and see that smartcard platforms offer so many more options for staying ahead in the cyber-crime arms race, by virtue of their intelligence and programmability.

Barclays in the UK has announced it will deploy half a million special purpose smartcard readers, with which their EMV cards will be transformed into personal security tokens for Internet banking. This is an important development, showing how institutions can improve their smartcard ROI and create useful upgrade paths along which their customers’ experience can steadily improve. It is one of the first strong signs of convergence of banking products onto a uniform, user-friendly electronic key.

If we take a shared infrastructure view of smartcards, then a number of critical projects could usefully be merged. For example, impending health and welfare smartcards and smart drivers licenses could be made available as secure carriers for other agencies' identifiers, enabling true anonymity of government service delivery.

If banks can take an all-of-business approach to smartcards 'engaging their Internet banking, privacy, compliance and security functions with the cards groups ' then they will see a stronger ROI.

It may seem politically incorrect, but it's worth asking, do consumers really need a choice of security technologies? Consumers can choose between banks and between banking products, but they are not offered options when it comes to the design of vaults or ATM networks or plastic cards. The time is right for the banking industry to take the lead and standardise authentication.

One of the more prevalent topics in e-business and security circles is 'federation'. Yet a clear head is needed when evaluating federated identity. Buzzwords are flying around, and some applications of this new technology may complicate the way banks deal with their customers.

Biometrics appear profoundly simple in operation, but the associated science, engineering and product design are still in their infancy. It is tempting to think that using an ATM of the near future will be as simple as staring into a camera lens to activate one's account, but if we take a close look at this technology, it's not as simple as it first appears.

The unique value of PKI in securing paperless transactions is now widely acknowledged. The early rosy vision of a single, all-purpose identity infrastructure has given way to a more sophisticated landscape of multiple PKIs, used not for identity per se, but rather for more complex relationships, affiliations, credentials and so on. In this issue, we are going to show how PKI implemented with smartcards is emerging as a critical infrastructure.

Electronic identity verification is just around the corner, but are Australian financial institutions ready for the technical challenges it poses? Banks relying on purely electronic proof of identity will need to know the data isn't stolen, while customers planning to submit identity data to institutions online will need to know the websites are not fake. Strong mutual authentication is the key to fully electronic verification.

Work needs to be done on bridging the worrying knowledge gap between most privacy and technology specialists

Credit card skimming and competitive pressures are the two mainfactors forcing Asian banks to adopt EMV-compliant smartcards

Two-factor authentication could soon be obsolete thanks to a new generation of security attacks

An unfortunate side-effect of user-pays security could be the creation of two classes of Internet banking customer. This column charts the meteoric rise of two factor authentication but urges caution in light of the weaknesses of most solutions available today.

The UK has implemented a large-scale rollout of smartcards. The unit cost of smartcards is falling rapidly as hundreds of millions of cards roll off production lines. Built-in smartcard readers in laptops and other PCs will help the new technology gather pace.

A brief overview of authentication technologies, comparing and contrasting all major options, and showing that smartcards offer unique protection against website fraud.

It's time to move beyond the bumper sticker slogan that 'security is not a technology issue'. In the war on identity theft, education, legal and regulatory weapons have reached their limit.

Research is starting to show that few IT departments have come to grips with the full meaning of privacy regulations. Most IT managers fail to appreciate the potential ramifications of privacy, for database design, architecture, web design processes and audit.

How often is a serious new technology introduced with the aid of a Tom Cruise film clip? Welcome to biometrics, the glamorous end of the security market, where 'Minority Report' has almost achieved case study status. But beneath the hype are some more pragmatic issues for the application of biometrics in day-to-day banking.