Website authentication for financial institutions

When you visit the website of your financial institution, whether it be your bank, insurance agency, brokerage house or credit card company, the site is most likely using an Extended Validation (EV) certificate to secure its communication and to project its identity to users. Your browser will show the encryption lock in the address bar as well as the company name. Sometimes this will be highlighted in green, depending on your browser.  This tells the user that the company’s identity has been verified with detailed information contained within the certificate, including its physical address, country and the type of business registration.

Financial institutions have always been targets of fraudsters due to the value of information and assets they contain. Because of this, banks and others recognize that identity is important and the value that EV provides to their customers. However, website authentication is just one use case for EV certificates. But before we discuss other use cases, let’s summarize why financial institutions use EV:

  1. Anti-counterfeiting: Financial institutions want to help their users ensure they are at the authentic, correct website. An EV certificate is more difficult and costly to obtain by fraudsters, making it less likely that a site with an EV certificate will be counterfeit.
  2. While encryption is very important (to ensure confidential information is not compromised), identity is paramount. Why encrypt something if you’re not sure who is receiving it? What if someone has inserted themselves in the middle of the conversation to intercept the communication? Yes, it’s encrypted. Is that desirable? Without identification, users can be lulled into a false sense of security.
  3. Financial institutions are targets of phishing emails which direct users to non-authentic websites. Anything that can help the real website stand out from the fake one is attractive to the organizations in fighting fraud.
  4. Brand protection: Organizations like having their brand distinguished and protected by EV.

What else can EV be used for? There are broad uses besides website authentication in cybersecurity. IT departments are using EV for things like verifying websites belong to the company, adding rules to internal firewalls, and configuring managed security services, internal audits and compliance.

In the European Union, EV is taking on another role. In 2016, the EU passed a new regulation called eIDAS, which updates the 1999 EU Digital Signature Act. As part of this update, the regulation defined Qualified Website Authentication Certificates (QWACs). These are based on EV certificates with some additional information added.  A further regulation called Payment Services Directive (PSD2) requires the use of QWACs by certain financial institutions doing business in the EU. This goes into effect in June 2019 and Certificate Authorities are already getting requests for this product from EU-based banks and other financial organizations doing business in Europe.

To protect end users, work continues to ensure the highest standards of identity verification for online businesses.  Most notably, this focuses around the browser, where inconsistent user experiences continue.

The only problem with everything mentioned here is that piece of software people use to view websites — the browser. The browser experience for EV websites is vastly inconsistent today. Some display the company name in green, some in gray. One doesn’t display the company name at all, but rather the domain name in green. Some are promising changes to the user interface, others haven’t changed them in years.

What improvements can we hope for?

  1. A consistent user experience for EV-enabled websites
  2. Clear and easy to understand information for users
  3. Rigid requirements and audits for validating information to ensure it is correct and unique
  4. Additional validation information added to EV certs

Until then, the use of EV for financial and other high-value sites to proclaim their identity (whether it is exposed or not) remains useful for the reasons mentioned above, because what good is encryption if we don’t know who we are transacting with?

DigiCert plans to propose additional improvements to the EV standards in the months to come, and we look forward to continuing the conversation on the importance of identity for all aspects of our connected, digital lives.

Posted in Authentication, SSL