Smart without the Card

Date:   Saturday , March 31, 2007

In today’s fast-paced, time-crunched world, people everywhere have come to accept online shopping, banking, and communication as part of their daily lives. Convenience is king – today’s consumers access accounts, pay bills, download e-statements and transfer cash online from the comfort of their homes. This growing trend has caused a parallel trend in online fraud. Rarely a day goes by without identity theft appearing in the news! What is surprising is that most people are still using weak authentication methods in the form of username and password, to gain access to their accounts and conduct their online transactions. With the increase in phishing email and spyware designed by hackers to capture user passwords, online providers have had to step up and provide stronger forms of authentication to assure that a legitimate account holder is the only person gaining access to his/her account. The problem: How on earth do these financial institutions provide identity assurance for millions of customers while continuing to provide a simple and convenient user experience?

Lending voice to this concern, 14-months back the FFIEC (bank regulatory agency) issued a report, “Authentication in an Internet Banking Environment,” mandating that banks adopt multi-factor authentication measures to secure online access to account information and transaction functionality. Although the agency didn’t spell out the exact method of implementation, it was understood that some form of authentication beyond username and password had to be implemented by the end of 2006. Other US government agencies such as the SEC are also considering similar regulations.
With all that has happened over the past year, multi-factor authentication is becoming the industry “best practice”. A slew of companies are already providing strong authentication methods in hardware through one-time-password (OTP) tokens (the user must carry a hardware token that generates a random number as a second password needed to log in), biometric solutions and smart cards. However 9-year-old, Sunnyvale based Arcot Systems has been challenging all these hardware-based online authentication technologies with its one-of-a-kind software-based PKI authentication system. By providing PKI-based strong authentication completely in software, Arcot gives banks and their customers the best of both worlds: identity assurance that is convenient and cost-effective. Arcot created a “software smart card” called the ArcotID that provides strong authentication and can also be used in other applications such as eStatement delivery and digital signing of electronic documents. “The beauty of the ArcotID is that it is “Smart without the Card”. It can be used in place of a smart card and is a single solution that fits many requirements,” says Ram Varadarajan, President and CEO.

In a nutshell, Arcot has a software version of the smart card/ OTP token that is not tangible in nature. However, its software smart card is stored on your computer in the form a small file. “In lieu of the smart card that goes into a card reader or an OTP token that generates new passwords, we have created an encrypted file that is stored on your PC desktop,” heralds Varadarajan.

Varadarajan is not bragging; Arcot’s new software smart card has the potential to change the world. But you might ask, how can a ‘file’ be secure? True, when genius programmers can decode any gnarly program in the world, this ‘file’ might sound no different by name. But what is in a name? Arcot has protected this file with its patented technology - cryptographic camouflage—shielding it from the bravest of bravest programmer. And it is on this patented technology that the company was founded in 1997. “The Arcot technology is patented and proven,” says R. ‘Doc’ Vaidhyanathan, Vice President, Product Management, “more significantly, alternate solutions alone are not sustainable for the future needs of the enterprise.” And then lists three key reasons to support his claim.

In short, tokens are really expensive to produce and distribute on a large scale to millions of customers. Second, the human tendency of losing things will apply to such tokens also and so its feasibility takes a hit considering the customers for banks and merchants like e-Bay. Third is simply the number of tokens an individual can carry; given that he/she works for a company, has three bank accounts and a few online merchant portals he/she sells and buys from. However, by using an ArcotID there is none of the three disadvantages—it is cost effective, hard to lose and easy to carry on a single USB memory stick no matter how many “files” one has. Most importantly, Arcot has engaged in this business for so long that it understands what it means to get the performance and response time down to a sub second while managing millions of users with the same strength, functionality and usage like that of a smart card.

Assuming that the file is stolen, there is always a pin (like we have our pins for the ATM card, see pic 1 Pin Entry Pad) known only to the user, doubly securing bank accounts from the malice of hackers. To move a step higher and presuming that both file and the pin were stolen, then Arcot’s risk-based authentication software is sensitive to place of login, IP address and other attributes and will alert the institution when someone accesses the account from a different place, operating system and IP address therefore questioning the user in multiple ways before it gives access to the account. So that is Arcot’s comprehensive, layered authentication solutions; key to Arcot’s business dominance.

Nine Years Ago
In hindsight, Arcot seemed to have taken the right steps for success. But the company history will tell you that not everything was bliss in the late 90s. Recollects Varadarajan: “The Internet then was used more for information dissemination and not for financial transactions; e-commerce was rarely used. People liked our technology but didn’t want to take the steps necessary to deploy it because internet fraud was under the radar.” However, its early breakthrough came in 2000 when Visa, the world’s most popular credit card company—later an investor in Arcot, wanted Varadarajan and his team to design a program for their newly burgeoning online financial transactions.

So happened the birth of the 3-D Secure program—the merchant, the bank and the Visa formed the three domains which were the core of any online transaction—in conjunction with Arcot’s authentication software for banks and merchants. Without either of the one, the system couldn’t work. Instantly, MasterCard and JCB adopted this program but the merchants were slow to adopt it. Identifying the advantages merchants had by adopting this software, while realizing their disinterest in technology, Arcot itself had to host the services to garner merchants’ mind share. “Until that point, we only sold our software off the shelf. We decided to create a hosted service for some reluctant customers as a part of business initiative,” says Varadarajan.

That was six years back. Today 85 percent of the banks in the world support the 3-D Secure program and are adopting it. Some 11,000 banks in the world ranging from the biggies like Wells Fargo to smaller ones like KeyPoint Credit Union have adopted the banking software and some 25,000 merchants have also subscribed to Arcot’s services. For the first time in history, merchants checked the authenticity of the customer shopping online instantaneously from the customer’s bank, relieving them from the burden and liability of a customer protested transaction.

PKI: Killer Standard
If you thought the fun of Arcot’s cryptology was restricted to authenticity of online transactions and banks, then the bonanza is bigger for you. Today, some high tech enterprises are using ArcotID for the Virtual Private Network based access to its employees. “Soon, the mortgage, insurance and many other industries will understand the importance of the software smart card and adopt it,” says Doc.

Software smart card is just one part of the technology, like you know by now; what contributes to Arcot’s business is still the PKI. Based on which Arcot is turning on all its cylinders on globalizing the banking e-statement delivery and new age digital signing services.

“Banks are trying to convert customers from printed statements to electronic statements. Printing, postage and mailing is very expensive and not very secure. Privacy is at stake in a printed document” says Varadarajan. There, it seems, Arcot’s ArcotID provides additional functionality for banks. With the security threats involved in mailing printed statements to residential addresses—anyone can access anyone else’s mail box thereby learning a person’s financial status—there is an urgent need for different mode of delivery. However, there are policies that prevent a bank from emailing e-statements to public email addresses in the clear. “The ArcotID is specifically designed to solve this problem”, says Varadarajan. “Some current methods of encryption of e-statements are marred because fraudsters can decrypt them with off-the-shelf hacker programs that cost under $50. The ArcotID technology protects the eStatements using PKI technology in the same way that an identity is assured in strong authentication.” The story is much the same as when using the ArcotID file and pin for authentication. The ArcotID and pin are used together to decrypt the statement on the receiving end. Thereby, making no room for any kind of discrepancies in ArcotID assured eStatement deliveries; while the banks can save on an average of $7 per customer annually. It is a win-win-win-win situation says Doc, stressing, “improved security, increased convenience, cost reduction and environmental preservation.”

Beyond eStatements, what companies like Adobe are focusing on today are digitizing the world’s content through their PDF (portable document format). While electronic and digital are the two most revolutionizing technologies of these days, Arcot is adding its new digital signature capabilities to the world’s new tech innovation closet. While Adobe dreams big of converting all paper documents to digital documents, Arcot’s digital signature capabilities will help companies involved in huge paper works to do away with paper, is the belief. To put it in perspective, pharmaceutical companies today engage in huge paper maintenance work to prove all its findings, research etc on a new drug. It is mandatory for all pharmaceuticals from the moment they launch a new drug in the market; while it was easier to digitize the paper, a back up of all signed ones needed to be maintained in highly conducive environment. “But our digital signatures,” says Varadarajan, “will now help companies to shred them all.”

Yet again Arcot’s PKI technology sets apart the digital signature from the electronic ones (where you’re asked to choose between accepting or rejecting a particular document with a submit button below). Once signed, this digital signature encrypts the entire document and puts encryption information at the bottom. “Remember, only those with the ArcotID ‘file’ (that includes the signing digital ID) and know the pin can sign the documents,” says Varadarajan. This encryption is so strong that it is obvious if anyone has tampered with the document, even when only adding a single space or changing the font. The Arcot software keeps an audit trail and can tell who signed the document and when and from what location the document was signed.

Added advantages of digitally signed documents are their portability. A person is given a unique certificate that is used to sign the document. These keys are stored on Arcot’s centralized server that monitors and keeps track of these keys (see pic 3). Arcot’s client software is embedded in Adobe Acrobat and Adobe reader which is used to authenticate the person signing the document and applying the correct digital signature associated with that person. Like Adobe’s Director, Security Solutions & Strategy, John Landwehr says, “Together, Adobe and Arcot now provide an exceptionally easy-to-use digital signature solution. The Roaming Digital ID allows Acrobat 8 and Adobe Reader 8 to be a complete digital signing solution for the desktop without the need for additional client configuration. Simply click, authenticate, and the document is signed.”

The pioneering work in digital signatures has worked well for Arcot which has been working with SAFE (Signature Authentication for Everyone), a consortium of leading Pharmaceutical companies in the US that have adopted a common framework of rules and regulations. As if to mark Arcot’s coming of the age, AstraZeneca announced a complete end-to-end electronic communication with the Food and Drug Administration (FDA) including digital signature – supported by software from Arcot. Going further this would be adopted by other industries like mortgage and insurance as well.
Before diffusing ourselves from the tech industry, let us take one quick glance at Arcot’s recent strategic investors: Novell, Oracle Venture Fund, Raza Ventures and Adobe to name a few. What is apparent to the eyes, are the vested interests of these companies, who believe Arcot’s technological prowess will help their business go even further.

Arcot today is operationally breakeven. Varadarajan explains, “We have a profitable business model, but we have raised funds recently so we could continue to make investments in new technology areas.” A look at the industry authentication landscape portends a healthy growth sign for Arcot. And with growing trends in social networking and professional networking services, secured authentication to access personal data and transactions will be the future.