Online password security? Think Sudoku!

IIT Madras student creates transparent card-based dynamic password matrix; Chennai firm commercializes technology; IndusInd Bank, first to  harness it.

By Dinesh Sharma* Reproduced with permission from Mail Today, New Delhi

It looks like a crossword grid or a Sudoku puzzle printed on a transparent sheet of plastic. It can also pass off as a fancy Tambola card. But it is neither.

Actually, it is a new tool designed to prevent theft of transaction passwords by fraudsters and make online banking safer. The grid helps customers generate a new password for every online banking transaction.
The novel technology, called 'Intellect Privacy Dynamic Grid', works like a physical key that lets you unlock your banking account in the virtual world, every time with a new key.

Brainchild of K. Balaraju, a postgraduate entrepreneurship student at the Indian Institute of Technology Madras the idea has been commercialised by a Chennai firm, Laser Soft Infosystems, a subsidiary of Polaris Software Lab. The IITM has filed four patents on the technology.

Within a fortnight of its release, the technology has evoked interest in banking circles in several countries. IndusInd Bank has become its first user in India.
A dynamic grid is a matrix of numeric characters printed on a transparent card with cells randomly assigned to numbers and black colour, while some are left blank. Each grid generated is unique and a bunch of these cards is issued to a customer at the time of registration.

When a user logs into his online account with his access ID and password, another grid of the same size appears on the screen.
All that the user has to do is place the plastic grid exactly aligning it with the grid seen on the screen.

When superimposed, the two grids mutually mask most of the numbers and only a subset of numeric characters from the grid will be visible on the screen. The numbers left on the screen - from left to right or top to bottom - will form the one- time password.

"The numbers generated from the combination of screen grid and transparent card grid vary each time the user logs in. This means that for each transaction, a new grid will be generated by the server so that a unique password props up every time," explained B. Suresh Kamath, Laser Soft Infosystems managing director, who too is an IITM alumni.

The technology works on the principle of "Challenge Response Authentication" which is a method for proving one's identity over an insecure medium without giving out any information.
This is designed to tackle the growing menace of phishing attacks on banking accounts, in which cheats trick you into giving your online passwords through deceptive e-mails and malicious software that can supply all keystroke information to hackers.

"The security strength of the new system lies in the randomness of position and the random text in that position," said Kamath.
"The system is easy to use, cost effective - one card may cost less than a rupee - and ideal for mass banking applications in India.
The technology can be used for transactions through mobiles and ATM screens too. And instead of numbers, we can have letters from any Indian language." Options such as virtual keyboard and e-valets have been found prone to frauds, officials said.

* Dinesh Sharma is Science Editor, Mail Today and author of the book  " The Long Revolution: Birth and Growth of India's IT Industry"/ 2009. Link to  his  original story, in Mail Today, March 16 2010:'Sudoku+grid'+to+foil+web+fraud.html