Financial institutions warned of PKI pitfalls

While Australian financial institutions scramble to keep up with best practice security, public key infrastructure (PKI) is rapidly finding its way onto the agenda. However, Ernst Young warns that many financial institutions may be putting themselves at risk by jumping in headfirst.

In a report titled Building Trust Through PKI, Ernst Young predicts that the increased usage of digital signatures is going to have a profound impact on B2B e-commerce, but also adds that the PKI path to B2B nirvana can be a minefield.

Andrew Pearce, principal at Ernst Young, outlines how PKI will come to the fore over the next few years in relation to the expansion of the B2B market, which is expected to hit around $US8.51 trillion by 2005.

"Consequently, pressure has mounted on government and the country's leading financial institutions to develop and approve robust PKI solutions to ensure the identity of individual trading parties and the confidentiality of exchanged information," he said.

Pearce also added that in their enthusiasm to embrace digital signatures, local financial institutions may be overlooking some significant risks, including those associated with fulfilment, transactions, information security, finance, governance, operational and those relating to the business environment.

"Collaboration between trading partners online brings both opportunities and risks for financial institutions and businesses. The institutions that best match the risk and reward balance will be those best placed to reap the rewards of PKI," he said.

The need for digital signatures to be portable could potentially prove troublesome, according to the report. Given that they will be most likely stored on smartcards and issued with a password, should either go astray or be generated from incorrect information, re-issue and fraud costs could be significant. These fulfilment risks, in addition to any other security breach, can also have a huge impact on brand reputation, according to Pearce.

"Upon a compromise with the issuance of smartcards and PINs, the financial institution will most likely need to shut down its entire Certificate Authority, therefore resulting in disgruntled customers and a big reduction in the confidence in the financial institution by the business community," he said.

Financial institutions also need to be wary of transaction risks, which could bring with them similar ramifications. In fact, Ernst Young predicts that PKI will become such a trusted infrastructure in the future that any wrongful verification on the part of the institution could see it hit with legal claims.

On the financial and operational side of things, the timing of PKI implementation is crucial, according to the report. Financial institutions need to be conscious of market readiness for their PKI offerings in order to avoid increased costs, while making sure their run isn't too late to avoid missing out on additional revenue. Pricing also plays a role, according to Ernst Young, as inappropriate pricing models will result in a loss of market share and a potential loss of earnings.

Finally, Ernst Young believes financial institutions need to look at their partners. In fact, Pearce highlights this point as a critical one, suggesting that the best way to approach this is by partnering with consortiums that have been formed to offer a PKI solution as an existing infrastructure.


Copyright © 2001 IDG Communications, Inc.

How to supercharge Slack with ‘action’ apps
Shop Tech Products at Amazon