In late 2006 the Italian bank IntesaSanpaolo saw an increase in fraud in on-line, mobile and telephone banking. The existing security of user id and password was easy to use but also easy to abuse. A more secure system was needed before fraud became a major issue which would cause distress to their customers, cost to the bank and damage to the reputation of the bank.
The current id and password system was usable and accessible for most users. The only downside was the passwords were unique to each channel and product so a user needed to remember a set of different passwords or manage them carefully.
A study was carried out into the various technologies available. The selection criteria included enhanced security and high customer acceptance. It had to be easy to use and it had to be usable by any customer with a disability without requiring any external assistance.
One Time Password (OTP) was chosen as the best technology. The user has a small device, like a fob, that generates a password when requested, the password is unique to the specific device and the time of the request. It is valid for a single log on process. This makes it impossible for anyone else to discover the password and then access the account.
The usability is high because the customer no longer has to remember, or store, the password and the single device can be used for generating passwords for multiple accounts accessed via multiple channels.
Vasco was chosen as the supplier of the technology which includes the fobs and the software on the central servers. An important part of that decision was that Vasco could provide fobs that are accessible to customers who are blind or vision impaired. IntesaSanpaolo chose the Vasco Digipass GO6 as the standard fob and the Digipass 300 CV for customers with vision impairments.
The Digipass 300 CV has a larger screen so the OTP is easier to read and it also generates speech to guide the user and vocalise the OTP. The speech is available via an in-built speaker or through headphones for added privacy.
The feedback from the users has been very positive with improvement in the perception of convenience and security. This included the hundreds of Digipass 300 CV users where the ease of use and the single device were particularly appreciated.
There are a small number of tetraplegic customers who cannot use either of these devices as they can only use voice activated or single switch devices. There are also a number of deaf-blind users who require Braille output. IntesaSanpaolo is in the process of implementing a Vasco solution that will securely generate an OTP on a PC that can be operated independently by these group of customers.
The moral of this story is that the introduction of new technology may disenfranchise existing users, in particular those with a disability. If this happens solutions must be found before the technology is rolled out.
IntesaSanpaolo and Vasco must be complimented on the care they have taken with the delivery of the improvements required to enhance security. The customers have not been inconvenienced, the bank has reduced the level of fraud, and enhanced its reputation by fulfilling its corporate social responsibilities (CSR) to its disabled users.