Safety token

Excitement at Just trade, the online investment and stock brokerage arm of Bajaj Capital, paints a contrast to the gloom and doom seen in the trading community.

Written by Pragati Verma

December 1, 2008 01:42 IST

Excitement at Just trade, the online investment and stock brokerage arm of Bajaj Capital, paints a contrast to the gloom and doom seen in the trading community. To counter the growing threat of hackers and phishers, the relatively new portal is now distributing digital security tokens?a time-synchronous solution that automatically changes the user?s password every 60 seconds. The new security ring, according to its deputy CEO, Vinesh Menon, will instill a confidence in online trading as ?we are adding the kind of security you see in major corporates? and banks? IT networks.?

Just trade is not alone. Most online trading portals are busy adding security layers to draw customers in a volatile market. While Reliance Capital?s Reliance Money already offers similar security tokens, Indiabulls is also learnt to have given a nod to a similar solution. ?Every top 10 online broking portal is evaluating a two-factor authentication solution and you will see many more investing in these, despite the current slowdown in the market,?confirms Amuleek Bijral, country head of RSA Security.

As online trading starts spreading its wings?about 50 lakh online account holders exist in India and National Stock Exchange averages a turnover of Rs 10,000 crore?security concerns seem to be the biggest hurdle. ?Return of investment on a security implementation is a foiled breach,?explains Menon. The main concern is how effective is the IT system in validating that you really are who you say you are, before giving the rights or access to your account.

For starters, first level is user name and then a portal can add to security by adding a number of factors such as a password or a PIN. In two-factor authentication, devices or tokens are used. They can be hardware or they can be software. And they can contain a randomly generated set of six digits or eight digits that are time synchronised with a server that is either at the corporate headquarters or is hosted somewhere on the internet. The user enters into a computer their user name, their PIN and the pass code. And that is compared with the value on the server where the user name, the PIN and those six digits have to be exactly matching in order to grant access. If they don?t, the authentication fails and access is denied. ?For Rs 12 every month, you get two factor authentication. This is a way to take something you know, add something you have, and improve the process of securing the people part of information-centric security. Passwords and PINS are generally something that people either make too simple so that someone can guess them. Or they make them too complicated in which case they write them down and compromise the security,?says Vinesh Menon.

These tokens or hardware devices, that generate a new password at a pre-decided frequency, are normally used to fortify IT networks by corporate bigwigs, banks and defence establishments. And companies like RSA Security expect about 10% of the employee base of large IT services companies (employee base over 5,000) and 15% of the employees of BPO firms to use these. Besides, telcos, banks and government organisations like ministry of finance and defence and utility firms are investing in these tokens.

Interestingly, these solutions can be implemented without the hardware devices as the technology can be extended to software-based approach. Portals like Just trade are also toying with the idea of generating passwords to authenticate traders online though their smartphones. Nevertheless, tokens seem to be popular simply because these can be a great branding vehicle. And these might not be restricted to login, but some innovative brokerages could later use these to identify callers at the call centre. There will be no need to identify yourself then, but one can simply give the dynamic number and the call centre will know who the callers is.

Adoption of dynamic passwords seems to have encouraged security experts to advocate adaptive security. Trading sites can start studying unique behavioural patterns to identify anomalies. For instance, if someone always trades in late evenings and suddenly an increased level of activity is seen in that account in the morning or if the trader logs in from a different IP address, the portal could check through an alternate channel, like a pre-registered mobile phone number to authenticate that the transaction is indeed genuine. ?Behavioural patterns, device recognition and nature of transaction could be good indicators, but it is early days yet as the user base is small in India,?argues Bijral. Many are also apprehensive that this could slow the speed of transactions, thus affecting traders. Clearly, brokerages need to play smart as they add security rings to draw more traders online.

Get Live Share Market updates, Stock Market Quotes, and the latest India News and business news on Financial Express. Download the Financial Express App for the latest finance news. .

This article was first uploaded on December one, twenty eight, at forty-two minutes past one in the night.