Remote Card Authentication is the next generation of fraud prevention solutions to help tackle fraud in non face-to-face transactions.

It involves a device not connected to the PC enabling the user to authenticate himself / herself securely through the generation of a one-time-password (OTP)

Pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability appear to offer the most promising long-term answer to online authentication problems. APACS is expecting for 2007 between 1 to 1.5 million cardholders in the UK to be issued with readers for e-banking.

Historically, banks have relied on the use of static passwords to enable remote access to banking applications. However, highly sophisticated fraudulent techniques are fast rendering this one-factor authentication system obsolete.  Statistics released by APACS in March 2007, reveal that onlinebanking fraud in the UK increased from £23.2m in 2005 to £33.5m in 2006. These losses are being compounded by the increasing customer reluctance to use online financial services which they deem to be unsecure.
 
One particularly ubiquitous security issue has been the emergence of phishing as the foremost weapon in the criminals’ arsenal. In very basic terms, phishing involves a fraudster masquerading as a financial institution in order to steal a customer’s account information. More recently, criminals have been using increasingly sophisticated spy-ware including trojan horses, key logging and screen scrapper programmes, which capture screen shots to obtain end-user credentials.
 
To bolster customer confidence, banks and other financial institutions have begun to upgrade their current password-based authentication solutions to stronger, two-factor authentication.

As opposed to single-factor authentication which requires just one piece of information (usually knowledge of a password), two-factor authentication requires two factors for example: 'something you know' (PIN code), 'something you have' (your bank card).
A common example of strong authentication solution is an EMV banking card (the card itself is the physical ‘something you have’ item) used with the secret PIN code (the ‘something you know’).

The use of a remote card authentication device to enter the PIN code that is not connected to the PC leaves little room for online fraud. 

2007 EMV migration in Europe (Source MasterCard)

The EMV factor
A key driver behind the implementation of RCA solutions is the migration towards EMV payment cards.

EMV is a standard for smart banking cards and point-of-sale terminals for authenticating credit and debit card payments.
As the January 2005 deadline for EMV migration in Europe and the January 2006 compliance deadline for regions including the Middle East, Africa and Asia/Pacific have now passed, banks are recognising the considerable leverage on investment of deploying solutions that rely on EMV.
 

Major players in the retail banking sector are already putting research and development into strong authentication solutions. MasterCard, together with a major UK bank, recently conducted a pilot of portable EMV card readers as a means to authenticate customers who access banking services online. In addition, APACS has indicated that it began work in May 2005 to establish a UK standard for physical online transaction authentication.

The remote card authentication standard for the UK scheme (based on MasterCard Chip Authentication Program -CAP- specifications) is now defined and will be deployed during the first semester of 2007. In the UK, major banks have already started to announce their plans for rolling out this new system to their e-banking customers - more are expected to be announced in the short to medium term. The banks that make the most however of their investment in the latest authentication technology will be those that use it to provide additional customer services and business opportunities, as well as to enhance security and improve customer confidence.

Europe is ahead of other regions in this respect with forecasts from MasterCard predicting the percentage of EMV-enabled cards in Europe at 67% by 2007. The banking and financial services industry is starting to wake up to the need for greater security for online transactions. With Gartner warning that static passwords will become obsolete in two years, the industry is moving towards wide-spread implementation of two-factor authentication. In the US, federal regulators went as far as to state that banks must have two-factor authentication on their websites by the end of 2006.