Common use of External Clause in Contracts

External. Some trusted devices have earlier been described under ‘Online.” These concern devices that rely on a network connection (hence the name). An “External” possession factor relies on a bank-issued authentication device that does not use an electronic connection with other devices. There are a few variations that are either low-tech or high-tech. —OTPs on paper/plastic This is the simplest form of a possession factor. It consists of an indexed list of OTPs on paper or an indexed grid of characters on a small plastic card. A user derives an OTP from one of these when the bank requests it. The bank specifies which OTP it wants by referring to one or more index numbers. The physical paper or plastic represents the possession factor. Advantages are that it is easy to use and that it is protected against malware-based attacks, like all external possession factors. A disadvantage is that a physical medium with written text is easy to copy. A picture of the page or card made by a camera already represents a copy of the possession factor that is usable by an adversary. We observed that 16 out of 80 banks (20%) let users authenticate with OTPs from paper or plastic in 2015. Of these 16 banks, five (31.3%) do not give the user an alternative choice for the possession factor. Most of the 16 banks are located in Europe and South America, where this method seems to be more popular compared to other regions. Paper and plastic OTPs have become more popular since 2013, when only 13 banks (16.3%) applied it for home banking. At that time, eight of the 13 banks (61.5%) required the use of a physical page or card to get OTPs from and an alternative was not available. This implies that this representation of the possession factor became more popular as an alternative authentication scheme instead of as the only (mandatory) option. OTPs from a physical medium are used for authentication in six of 58 examined mobile applications (10.3%), and in four out of 24 mobile sites (16.7%) in 2015. The same numbers for 2013 were three out of 45 (6.7%) and zero out of 19 (0%), respectively. —Offline electronic tokens We added the “offline” keyword to the description of these kind of tokens to dis- tinguish them from online hardware tokens. These tokens do not have an electronic connection with any other device, but rely on their own battery as a power source and nonelectronic methods for information transfer. There are different types of tokens, ranging in functionality and offered user interface. 4We did not examine these secondary mobile banking applications (one which generates an OTP, one which scans QR-like codes) on a technical level and assume that they require an online connection to receive OTPs or response codes. ACM Computing Surveys, Vol. 49, No. 4, Article 61, Publication date: December 2016. 61:18 X. Xxxxxx et al. Table II. Offline Tokens Used for Home Banking at 31 Out of 80 Banks (38.8%). One Bank Implemented Two Different Kinds of Devices, Resulting in a Total Value of 32. Numbers in Parentheses Represent Banks from the same Group which also Use Tokens for Mobile Banking Device(s) and optional knowledge factor Authentication method OTP CR OTP & CR WYSIWYS Smart card, token and PIN 1 2 5 (1) 1 The simplest token consists of a single button and a small display. When the button is pushed, the display shows a single OTP. Eight out of 80 (10%) observed home banking sites applied such a token in 2015 and seven out of the same number of observed banks (8.8%) did so for home banking in 2013. A slightly more complex token consists of a display, a number of function buttons, and possibly a keypad. These tokens work stand-alone or rely on an inserted bank card to provide cryptographic credentials. The functions of some of these tokens are only usable after it is unlocked by a PIN (associated either with the device itself or with a smart card). There are several functions that can be supported by different kinds of tokens: —Generate OTPs. Like the one-button tokens, OTPs can be generated after entering a PIN. Offering the OTP to the bank proves that the user is in possession of the device used to create the OTP and (indirectly) of the PIN required to operate the device. —Generate responses for Challenge-Response (CR) authentication. After entering the PIN, the user must enter a challenge (given by the bank), after which the token will generate a response for the user to enter in the online banking site. Receiving the expected response to the sent challenge is an indication for the bank that the user is in possession of what is needed to generate the response (a specific token or bank card and a PIN). —Show critical transaction information and confirmation codes. The information is received through a nonelectronic one-way connection between the token and the user’s device. We only observed this new authentication method in our 2015 survey. The one-way information transfer is facilitated by an optical sensor, which scans QR-like codes from the monitor of a user’s device. Table II provides an overview of the types and numbers of offline electronic tokens we encountered in our 2015 survey.