You are on page 1of 11

IMB 377

SREELATA JONNALAGEDDA

RED FORCE LABS: SECURING ONLINE TRANSACTIONS, AT WHAT


PRICE?
The Federal Financial Institution Examination Council in the United States released a statement that made it clear
that the existing security systems were inadequate in securing financial transactions online. i With this recognition,
new guidelines were issued that would need to be adhered to, starting January 2012. With the new mandate on
authentication assessment, Yash believed that it would not be too long before the rest of the banking world including
India would have to step up their security measures. Similar measures were stepped up in Europe as well as
Singapore. Banks and financial institutions will continue with their existing systems ignoring the increasingly
sophisticated online frauds at their own peril, Yash insists. He was never more optimistic about the prospects for
his product, the RFL DigitaID, a security device that he co-developed for secure banking space.
Nobody understood better than Yash the value that Red Force Labs (RFL) had created in the space of cyber security.
Although, the scope for RFLs products spanned enterprise security, online retail, etc., RFLs founding team had
taken a call to focus on the banking sector envisioning it as a commercially viable space. Even in the banking sector,
given the initial costs that RFL would have to incur for the manufacturing set-up, it made greater sense to focus on
corporate clients whose transaction value was higher.
Yashs intimate knowledge of online security space as well as his experience as a hacker had earned him the support
of the Department of Information Technology, Government of India. He knew however that this knowledge alone
would do little for his company unless it was translated into an actionable plan to communicate and appropriate the
value that had been created at RFL. RFLs ability to leverage its technology and market its product for the
authentication of online transactions would of course hinge upon its ability to find partners who would help to roll
out its technology into a commercially successful product. Pricing, he knew was a quibbling point for all, based on a
few of his interactions with potential customers in the past. RFL would certainly need to set prices intelligently, but
the underlying challenge remained: getting customers to see beyond the price.

BACKGROUND RED FORCE LABS


RFL has been a cyber-security start-up in strong authentication and secure transaction solutions. RFL specialized in
online accounts, identities, and transactions. In addition to the financial sector, RFLs technology offers security
systems for sensitive information and transactions for enterprise security, e-commerce, and e-government industries.
Co-founded by Yash in 2009, RFL was incubated at the N S Raghavan Centre of Entrepreneurship and Learning
(NSRCEL) at IIM Bangalore, and funded by the Department of Information Technology (DIT), India. Yash was the
Chief Technology Officer at RFL in 2012. Yash first started-off as a hacker at the age of 19 years prior to working
for Proland, an anti-virus company, where he debugged many viruses, including the first Windows virus. It is here
that he learnt about the various kinds of viruses and malwares and their attacks, which in the long run helped him
develop the RSA token for RFL. His experience provided him with the capability to involve himself at any stage of
the product development life cycle, design robust products, brainstorm ideas, develop prototypes, troubleshoot
errors, and increase cyber security awareness.2
RFL was one among the very few India-based online data security companies and a new entrant into the market
waiting to launch itself with the sale of its first product. RFL estimated that Rs. 5 million (1$ = Rs. 52, in 2012)
would be needed to set up a manufacturing facility to produce the security devices with the variable cost for each
device projected to be around Rs. 1,300. The implementation and service costs were projected to be around Rs. 1.35
million and Rs. 0.3 million/year, respectively.

Professor Sreelata Jonnalagedda prepared this case for class discussion. This case is not intended to serve as an endorsement, source of primary
data, or to show effective or inefficient handling of decision or business processes.
Copyright 2012 by the Indian Institute of Management Bangalore. No part of the publication may be reproduced or transmitted in any form or
by any means electronic, mechanical, photocopying, recording, or otherwise (including internet) without the permission of Indian Institute of
Management Bangalore.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 2 of 12

RISE OF ONLINE BANKING


The concept of online banking dates back to the early 1980s, when it was first envisioned and experimented with.
However, it was only on October 6, 1995 that the Presidential Savings Bank first announced the facility for
consumer usage. The idea was quickly replicated by other banks such as Wells Fargo, Chase Manhattan, and
Security First Network Bank. Banks used a very simple layout, which allowed users to sign in, see their accounts
and statements, and make transfers from one account to the other. Initially, there was much consumer mistrust
around the idea of conducting financial transactions online. For instance, fears that hackers could access sensitive
account information kept away many bank customers from adopting the practice of online banking. However, with
the standardization of payment processes and heightened online bank security, online banking grew in popularity. It
was originally estimated that 55 million American families would be doing their banking online by 2010 and the
numbers continued to grow.
In India, the number of Internet users had gone up from 40 million in 2006 to 100 million in 2010. There was an
approximate addition of 20 million new users a year for 3 years. There were several reasons for the rise of online
banking: easy access to the bank account, bill payments, view and receive paperless statements, make online
transfers to accounts at other banks, receive email alerts regarding balance and any suspicious activity, researching
interest rates and special products, interacting with the tax office for payroll tax and goods and services tax. Owing
to the fact that overhead cost was low, banks encouraged consumers to shift to Internet (I) banking and did so by
offering customers the best interest rates on certificates of deposit, money market accounts, and savings accounts.

NEED FOR ONLINE SECURITY


As with the trend in online banking, online frauds and account hacking have been on the rise all over the world.
According to a survey ii conducted by Entrust (another data security company) in 2005, 1,000 people were
interviewed about their perception of I-banking and given below are the key findings: 18% of respondents had
decreased their use of online banking or stopped banking online completely in the last 12 months owing to fear of a
breach. One in three respondents were worried that the banking website they visited may not be a legitimate site, but
rather a fraudulent one set up to steal their account information and/or identity. This underscored the need for mutual
authentication, whereby a bank proved to its customers that they had visited a legitimate website. A total of 94% of
the respondents indicated that they would use additional security measures such as multifactor authentication when
logging into their online banking accounts. Similarly, 94% also indicated a willingness to use additional security
measures when executing higher value transactions such as large money transfers even if it meant paying a higher
cost.
According to a survey in 2010, conducted by Avira, asking all its customers how they felt about online banking, the
findings were: 31% of the 3,127 respondents said they never did their banking online because of security concerns
and instead went to a physical bank branch to conduct their transactions. Another 48.5% said they performed some
online banking, but were still "concerned" about the increase in Internet crime; which means only 20.5% of those
queried said they took advantage of the conveniences afforded by online banking and logged on to their banks'
websites without fear. iii
India has been no different with respect to Internet-banking-related frauds. The number of attacks on online
transactions had increased over the years. In India, such transactions alone had caused a reported loss of around
Rs. 10 million in 20062007 to Rs. 60 million in 20082009. In 3 years, the number of fraud cases had more than
doubled. iv A FDIC Technology Incident Report, compiled from suspicious activity reports, filed by banks quarterly,
listed 536 cases of computer intrusion, with an average loss per incident of $30,000. In 80% of the instances, the
source of the intrusion was unknown, but it occurred during online banking, the report states.[2] The Minister of State
for Finance, Namo Narain Meena said in a written reply to the Rajya Sabha that in India:
The number of Internet frauds rose from 102 in 2007 to 113 in the following year and 269 in 2009,
involving an amount of Rs. 2.51 Crore, Rs. 5.53 Crore, and Rs. 5.90 Crore, respectively, (1 Crore
= 10 million).
The Reserve Bank of India (RBI) cited compromise on password and negligence in other safety measures as the
main reasons for the occurrence of such frauds. RBI had made it mandatory for banks to put in place a system for

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 3 of 12

providing additional authentication and validation, an online alert system for card holders during transactions of a
value of over Rs. 5,000, redressal of grievances for wrong billing, and reporting of cases to police and ensuring
follow-up action v.

KEY SECURITY THREATS IN ONLINE BANKING


The vulnerability in an online banking transaction arises from three sources: (i) the client, (ii) the network, and (iii)
the bank. Although, each of the three sources is susceptible to attack, the primary threat, the customers personal
computer (PC), has been known to be the weakest link. Most of the attacks on online banking used in 2012 were
based on deceiving the user to steal login data and credentials. Apart from cross-site scripting and key logger/Trojan
Horses, phishing and pharming attacks were used to steal login information. A method to attack signature-based
online banking methods has been to manipulate the software used, in such a way that correct transactions are shown
on the screen and faked transactions are signed in the background. In 2012, the most recent kind of attack was the
so-called Man in the Browser attack, where a Trojan horse permits a remote attacker to modify the destination
account number and also the amount. Some of the important and commonly faced threats are classified as below.
Phishing
In phishing attacks, malicious users trick the user into providing sensitive information by directing users to a fake
website by pretending to be an agency or an individual from the financial institution that the user transacts with.
Pharming
Information is hijacked or stolen by hackers by installing malicious code on the users PC. The code often gets
installed involuntarily, either by opening an e-mail or an attachment. This code can then lead the user into a fake
website that resembles the users financial institution from where the hacker can steal information.
Man-in-the-Middle
This form (MitM) of attack is akin to eavesdropping and manipulating the signal so that information is maliciously
manipulated in an authenticated communication channel between the bank and the customer.
Man-in-the-Browser
In this attack (MiB), the fraudulent transactions take place through malware installed in the clients browser. The
information is then manipulated in a covert fashion without asking for any information.
Owing to high rate of online frauds and with more number of customers starting to use online banking facilities,
RFL envisioned a great business opportunity in the banking segment, especially in online transactions. There were
areas where digital security need was of utmost importance, and was unmet by existing systems; Exhibit 1 indicates
the specific needs-gap.
In a bid to reduce such mishaps, a number of organizations across the globe produced various kinds of
authentication devices and tokens. For example, digital certificates were used against phishing and pharming, the
use of class-3 card readers was a measure to avoid manipulation of transactions by the software in signature-based
online banking variants.

What is a token?
A security token (or, sometimes a hardware token, hard token, authentication token, Universal Serial Bus (USB)
token, cryptographic token, or key fob) is a physical device that an authorized user of computer services is given for
authentication. The term may also refer to software tokens. Security tokens are used to prove one's identity
electronically (as in the instance of customers trying to access their bank account). The token is used in addition to
or in place of a password to prove that the customer is who he/she claims to be. The token is similar to an electronic
key which can be used for online access.

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 4 of 12

Hardware tokens are typically small enough to be carried in a pocket or purse and are often designed to attach to the
user's keychain. Some may store cryptographic keys such as a digital signature, or biometric data such as a
fingerprint minutia. Some designs feature tamper-resistant packaging, while others may include small keypads to
allow entry of a PIN or a simple button to start a generating routine with some display capability to show a
generated key number. Special designs include a USB connector, RFID (radio frequency identification) functions or
Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.
The simplest security tokens do not need any connection to a computer. The client enters the number to a local
keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when
asked to do so. Other tokens connect to the computer using wireless techniques such as Bluetooth. These tokens
transfer a key sequence to the local client or to a nearby access point.
Alternatively, the new form of tokens in 2012 that were entering the mainstream were mobile devices which were
communicated with out-of-band channels (such as voice, short message service, and unstructured supplementary
services data) that also rendered the authentication and identity protection much stronger when compared to
conventional simple synchronous dynamic password tokens. Other tokens could still be plugged into the computer.
For these, one had to connect the token to the computer using an appropriate input device and enter the PIN if
necessary.

Maintenance of Authentication
Following are the methods by which authentication was maintained.
Two-factor authentication (T-FA or 2FA)
Security tokens provide the "what you have" component in two-factor authentication and multi-factor authentication
solutions. Some tokens provide up to three factors of authentication, or allow you to combine different factors to
create multifactor authentication.
One-time passwords
A one-time password is a password that changes after each login, or changes after a set time interval. A one-time
password uses a complex mathematical algorithm, such a hash chain, to generate a series of one-time passwords
from a secret shared key. Each password is unique, even when previous passwords are known. The open source
OATH algorithm is standardized, while other algorithms are covered by US patents.

Limitations of Security Systems in 2012


The limitation of security systems in 2012 was that they identified the user, but did not in any form authenticate
transaction data.
Hardware Tokens

Need refreshing once in every 3 years


Common seed lowers security significantly
Time window for one-time password too small to read and enter easily

SMS OTP

Latency and thus transaction completion failure very high (online transaction completion dropped to under
40% for online payments after RBI introduced SMS PIN)
SIM cloning is vulnerable.
Open vulnerability with telecom company system administrators

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 5 of 12

Digital Signatures

Vulnerable to MitM/MiB attack


Signs transaction data, but malware modifies data prior to signature and thus vulnerability exists

Grid

Static grid can be captured over a period of time by a malware as all numbers on the grid will be covered in
about 40 transactions for 16 slots.

Chip and PIN

Cumbersome to use uses a combination of a physical chip card, card reader, and a PIN
Multiple cards one for each account or bank
Higher-end security devices need secure data entry keypads far more cumbersome.

All the above solutions are vulnerable to MitM/MiB/pharming attacks perpetrated by malware on the client PC. This
was the critical gap which RFL identified to introduce a more secure system.

Value Degeneration Posed by Security Threat


Banking space in India has been highly competitive with over 200 commercial banks operating through more than
90,000 branches and competing with each-other for additional business as a well as consumer retention. In India, the
estimated number of retail consumers in 2012 was around 30 million. About 7% of users across banks used Ibanking. According to an estimate, banks usually spent around Rs. 5560 to cater to a consumer through branch
banking, while the same was Rs. 25 through automated teller machine and Rs. 4 through Internet. A large proportion
of Indian banks were shifting their customer base to I-banking by offering incentives and discounts, to avoid high
transaction costs. One of the reasons for poor penetration of I-banking was the security threats as discussed earlier.
Exhibit 2 indicates the top 10 countries by attack volume. The loss in value projected for the year 2012 is around
$ 1 billion.
Over the years, security threat in the financial sector has been on a rise. Exhibit 3 reports I-banking frauds and the
money involved.
Apart from financial losses encountered owing to fraud, the banks also lose consumer confidence in I-banking, and
also their valuable equity and reputation in the market. In the long run, this poses threat to the overall value creation
in the financial sector. Therefore, most of the reputed banks in India made efforts to safeguard their consumers, and
themselves from these security threats. Exhibit 4 reflects the prevalent measures adopted by some of the leading
banks.

RFL SECURITY PRODUCT


RFLs product was a specialized USB stick that added an extra level of security and protected online banking
transactions despite attacks on PCs. The consumer could use the security stick to log-on and validate all transactions
via a display, while the USB device was securely connected to the server, safeguarding against the most fiendish
forms of attacks that could manipulate data in the background, hidden from the consumer and the bank.

RFL Token
RFL token device was a specific self-contained device with on-board crypto processor that could not be tampered
with either electronically or physically. The token board was epoxy-coated so that there was no access to internals.
There were no leads to tap in as it was surface-mounted with un-exposed tracks. There was neither any content to be
read on the token from the computer, nor any clear-text ever sent by the token to the PC it was attached to; there was
a proprietary message token exchange protocol between token and server, minimizing the vulnerability to misuse.

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 6 of 12

Thus, there was no single point vulnerability across manufacturer, solution developers, implementation partners or
bank system administrator/operators.
The RFL token:

Was connected on USB to the PC where transaction was being done.


Had a custom-built hardware crypto protocol processor.
Had a large LCD to display secure messages.
Had login/transaction confirm and cancel buttons.

RFL DigitaID
RFL DigitaID actively thwarted MitM/MiB, pharming, domain name system poisoning, and replay attacks unique
as none of the others performed this function. The technology had a patent pending, and was enabled to tackle these
problems ground-up and not incrementally over existing solutions. The product had the advantages of signing
transaction data and the transaction uniqueness of one-time password. It had a token-based cryptographic 2nd/3rd
factor with interactive confirmation per transaction, and was completely synchronous with the transactions and
hence all transactions were completely secure. Another advantage was that there was a common token across banks
that had deployed RFL DigitaID, yet a personalized token capable of 10 service profiles, which could be used for
access of any service, e.g., online banking, Internet card payments, etc. Broadly, RFLs security product did not
suffer from any of the disadvantages of other 2FA mechanisms. The following discussion provides the specifics.
Characteristics of RFL Authentication Server

Server side components that communicated securely with the token


Features to distribute, manage and update token
Disaster recovery features

The DigitaID Architecture which made RFLs proposition superior is discussed in Exhibit 6.
The RFL DigitaID Key could be plugged into the USB port of any computer and create a direct, secure channel to a
banks online transaction server, bypassing the PC which could be infected by malicious software (malware) or
susceptible to hacker attacks.
The consumer could use the security stick to logon and validate all transactions via a display, while the USB device
was securely connected to the server, safeguarding against the most fiendish forms of attacks that could manipulate
data in the background, hidden from the consumer and the bank. The USB device added an extra level of security to
the existing authentication solutions provided by smart card, PIN or one-time validation code, in order to counter the
newest and most highly manipulative security threats.
Even if a users PC was infected by malware that manipulated the information flow in the PC, the user could cancel
the transaction displayed on the DigitaID device. What the user saw on the DigitaID Key display was identical to
what the server saw, no matter what malicious intervention may occur on the PC or anywhere in the Internet.
Owing to the direct secure connection between DigitaID Key and server, the device essentially provided a safe
window to the server, states Yash. Moreover, the DigitaID was designed such that no change was required in either
the server software or the software running on the client's PC. It could be run on all major home computing
operating systems.3
Yash knew that his product was superior to many of the competitor products as it was able to prevent MitM attacks
by updating itself with the capability to counter increasingly sophisticated viruses.
A secure system offered by RFL would be a strong pillar to the quest of most of the growing Indian banks who vied
to establish seamless intelligent infrastructure and branchless banking. A secure system was the basis of integration
of several financial products and solutions. The added customer security translated into higher revenues for the bank
as it encouraged end-users to increase volume of online business. A bank such as ICICI had approximately a total of
44 million transactions, with 3.67 million unique visitors per month. vi

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 7 of 12

COMPETITORS
With competitors, even if small in number, such as the Pune-based UNIKEN, New York-based RSA, and Swissbased VASCO vying for their own space, the market for secure financial transactions in the India was fragmented
and nascent.
RSA, the security division of EMC2 and also the no. 1 online security company in the world was named after Ron
Rivest, Adi Shamir, and Len Adleman, who started it in 1977. It was set up in India in 2007. The various products
that this company offered are the RSA Adaptive Authentication, RSA Adaptive Authentication for eCommerce,
RSA Authentication Manager Express, RSA Digital Certificate Solution, RSA Identity Verification, RSA SecurID,
and the RSA Transaction Monitoring. In 2009, HDFC was the first Indian Bank to implement layered components
of the RSA Identity Protection and Verification Suite.4
Remarks Yash, which may explain some of the reluctance towards RSAs products in the Indian market:
RSA has tried to penetrate the market with a device price as low as $5, but with limited success.
They have a high brand value owing to their longevity in the market. However, they have not
come up with a proven technology/device for sophisticated malware and MitM attacks. Added to
that, customers are known to have been frustrated with the high upgradation and maintenance
costs giving them a feeling of being locked-in to RSA.
UNIKEN, a product innovation company was started in 2003, in Boston, Massachusetts, USA. It created various
products such as the Virtual Private Secure Internet, REL-ID (Relative Identity) 5, Secure Content Delivery Suite
and various security devices such as USB, CD, etc. UNIKEN carved a niche in the public sector, serving SBI, Bank
of India, and Canara Bank.
VASCO was founded by T. Kendall Hunt in 1997 and provided authentication for mobile banking, corporate
banking, and retail banking with a price point at $2850 per 50 customers for 10 incidents per year. Having entered
India (2007), they made headway in the market with the sale of VASCOs DIGIPASS GO 3 to Reliance Money, the
financial solutions arm of Reliance Capital. Although VASCOs strength was in supporting large volumes of
authentication requests and mass deployment in a variety of applications, its products were based on 2FA, which
was proven to be inadequate against certain kinds of Internet frauds.

THE SITUATION IN 2012


The Indian banking security market seems impenetrable at times, quips Yash, as if he senses skepticism towards
adoption of new technologies in online banking security space in India. The lack of a proven technology,
upgradation and maintenance costs, distribution of tokens, managing lost tokens, and the lack of standards were all
hurdles that his customers had to overcome.
RFLs offering had great value to offer to banks and in turn to their customers. Given the evolving nature and
nascent stage in which security-awareness was pitched in the nation, RFL had much thinking to do on pricing its
product (the hardware) and the service (the software and maintenance) bundle, and the typical services that would be
included such as the establishment of RFL authentication server and maintenance of the security server (to be
renewed annually). The price set for the bundle was of course aligned with the value that RFL could deliver.
RFL, having recently shed the tag of an incubatee at the NSRCEL at IIM Bangalore, had the added challenge of
seeking venture capital as well as partnerships with Infosys or Tata Consultancy Services, who would support and
help scale-up the delivery of RFLs products. Although, the immediate energies of RFL would be focused on this
endeavor, Yash knew as well as anybody at RFL that convincing potential customers and partners of the value that
RFLs products contributed was an integral part of the process.

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 8 of 12

Study Questions for RFL


1.
2.
3.

What are the value drivers, qualify them?


Estimate the economic value of RFLs DigitaID. State your assumptions when you make this calculation.
How best should RFL position itself to capture the value it had created through its products?

_____________________
Kumar Rakesh Ranjan, Ramana Charan and Pooja Krishnan provided research assistance for this case.

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 9 of 12

Exhibit 1
Potential intervention areas for RFL
Needs

Transaction

Secure

Identification/Authentication

Authorization

Messaging

Core Banking

Yes

Yes

No

Online Banking

Yes

Yes

Yes

Internet Card Payments

Yes

Yes

Yes

ATM

Yes

Yes

No

UIDAI-based Security Systems

Yes

No

No

Microfinance-based Financial Inclusion

Yes

Yes

Yes

Application

Source: RFL

Exhibit 2
Country-wise volume break-up of online frauds

Source: USA Anti Fraud Command Center

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 10 of 12

Exhibit 3
Online frauds in terms of value
No. of I-banking frauds registered

Amount involved (Rs.


Crores)

2007

102

2.39

2008

113

5.53

2009

269

6.90

Source: USA Anti Fraud Command Center

Exhibit 4
Security measures of leading banks
Bank

Internet Security Measures

Prevents

HDFC
Bank

RSA-adaptive authentication to provide customers a personal


security image and caption to verify legitimacy

Static phishing

Axis
Bank

NetSecure system generates a code using desktop software/SMS/iTouch device which serves as a 2nd-level authentication

Static phishing

Citi
Bank

OTP along with card-based authentication with Verisign digital


certification

SBI

2-factor authentication. PKI digital signature.

Static phishing and MitM


attacks
Prevents static phishing,
MitM attacks

Note: HDFC Housing Development Finance Corporation; SBI State Bank of India
Source: Vista 2011.

Exhibit 5
RFL token

Source: RFL

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860

Red Force Labs: Securing Online Transactions, at What Price?

Page 11 of 12

Exhibit 6
DigitaID architecture of RFL
Design Specifications

Benefits

Display of critical data on trusted


device

Protection from malicious PC software since there is no


persistent caching of any data on the PC

Mutually authenticated
session establishment

Protection from MitM attacks

end-to-end

USB module

Convenience, ease of use and mobility; positioning as secured


online banking from anywhere and anytime

Modular design, seamless integration


throughout server

Highly secure, multiple signing transaction

Source: RFL

Exhibit 7
Product comparison chart

Source: RFL

This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. Permissions@hbsp.harvard.edu or 617.783.7860