The Next Step in ID Verification
Positively ID online users by identifying behavior and gestures that are unique to each individual
- By David Rizzo
- May 01, 2014
“Banks Heap Suits on Target over Breach,”
read a recent headline of a Wall Street
Journal story. By that time, seven financial
institutions had already filed class action
suits against the retail giant alleging it did
not sufficiently protect its customer’s data.
They have a case, as a review of how the breach occurred
shows that hackers accessed customer information despite
the fact that the credit card security codes and debit PINs
were encrypted.
Numerous other retailers also have suffered cyberattacks; but
at 40 million accounts, the magnitude of the Target bombshell
heralds a call-to-arms for all retailers and any other businesses
that allow consumers to access their accounts via the Internet.
This includes diverse industries such as healthcare, education,
hospitality, government, travel and the very institutions behind
the recent lawsuits, banking and financial.
The Risk Based Security and Open Security Foundation reported
a record number of 2,644 breaches in 2012, with 70 percent
due to external hacking. A total of 267 million records were
exposed, and according to Javelin Research, the dollar amount
stolen was $21 billion, a three-year high.
Conducting “business as usual” will no longer suffice. To reassure
and retain now-skittish consumers, any entity that engages
in e-commerce must employ greater lock-down methods. ID authentication
now requires protection that goes beyond ordinary
PINs and passwords.
Some early-adopting businesses and institutions have already
pegged biometric-signature authentication as a more secure approach
to providing greater accuracy in customer verification.
Given the advantages that the latest systems require absolutely
no additional hardware; entail no extra expense by users; reside
in the cloud, outside of the company‘s business system and allow
for the monitoring of fraudulent activity, this subset of biometric
verification is emerging as a strong new strategy of defense.
“We have used signature biometrics for nearly three years with
more than 10,000 student users, and it has exceeded our expectations,”
said Dr. Mark Sarver, CEO of eduKan, a consortium
of community colleges offering online courses and degrees. “It
provides an identity-proofing means that is transparent to our
students while respecting their privacy. [It] is available anytime
and stays cost-effective for the institution.”
Toward the Next Level of
Customer Authentication
Identification-checking modalities currently fall into three basic
categories:
- Presumably something only the user knows, such as a PIN or
password;
- An item that the user has in his or her possession: devices like
a flash drive or a token that provides random authentication
codes, credit cards or personal IDs in various forms, including
a phone; and
- Biometrics: something physically or behaviorally unique to an
individual.
The failure of relying on something the user knows has become
all too apparent. Cybercriminals have repeatedly proven the
ease of cracking passwords and PINs.
Secondly, requiring a user to possess a verification tool, like a
flash drive, entails the cost of purchasing, producing and distributing
the necessary hardware. Beyond the initial expense, these
items can break, get misplaced or stolen. Of even greater concern,
such devices do not necessarily authenticate the individual. They
only verify that a person has possession of the device. The same
can be said for personal IDs, credit cards and phones; does one really know if that person is the rightful owner?
This leaves biometric verification, quantifiable physical characteristics
of each individual. Examples include fingerprints, iris
scans, facial recognition and even vein scanning. While this offers
near-absolute verification, this type of identification requires sophisticated
and costly hardware to capture and interpret.
Qualification of Unique Behaviors
The subset of dynamic biometrics involves quantifying an individual’s
unique behaviors, like movements. For instance, keystroke
analysis establishes the unique patterns and dwell times of
an individual while typing. Because this picks up only one biometric,
the dwell time, or intervals between key strokes, is such a
small metric that prevents accurate identification of a given user
out of thousands possible.
Biosignature typing via handwriting proves infinitely greater
specificity. Identification is accomplished by having the user
handwrite letters or numbers within a confined space by moving
his or her finger, mouse or stylus. Unique writing attributes, such
as length, angle, speed, height and number of strokes, get assessed
and stored in an encrypted database. Software algorithms compare
this data against patterns collected by the user’s subsequent
logins, confirming whether or not they match.
In independent testing by the Tolly Group, a global provider
of testing and third-party validation and certification services for
the information technology industry, one biosignature recognition
system, BioSig-ID, was found to be 27 times more accurate
than keystroke analysis. Observed confidence ratings at 99.97%
meant that the false positive level of the biosignature software
was three times better than guidelines put out by National Institute
of Standards and Technology (NIST).
Virtual Biometric Reader
Despite its high degree of specificity, signature authorization
could suffer the same fate as that of other biometrics: The need
for a device to read the biometric. However, this obstacle has
been sidestepped by engineering a virtual reader that resides in
the cloud. Users gain access to it via the Internet, making it instantly
and universally available.
“The gauntlet was thrown down while pitching the federal
Drug Enforcement Agency on using a biosignature device to confirm
the identity of doctors so they could write electronic prescriptions
over the Internet,” said Jeff Maynard, CEO of BSI. “But,
with 600,000 physicians, and at $400 a pop, the DEA felt it would
be too expensive to find wide adoption. They said, ‘if I could come
up with a software-only biometric, then we could talk.’”
Maynard subsequently developed a system where the signature
reader resides on the company’s server. Users log onto the
website, handwrite four unique alphanumeric characters or symbols
within the defined spaces, and when confirmed, access their
account. Industry-accepted, application program interface standards,
like SAML 2.0 SSO-IO, communicate with the business
systems institution, employing this means of ID verification.
“We outsource everything we can, except teaching and learning,
as a means of fulfilling our mission to be accessible and affordable,”
Sarver said. “Since our biosignature system is hosted by
the vendor, we can keep our overhead as well as our tuition low.”
Higher Security for Preservation of Assets
Many retailers and e-tailers have not implemented higher security
measures because they don’t want their clients to spend additional
time going through extra security. This extra time, they
believe, could mean loss of clients and sales. What may be true is
just the opposite.
Consider that in 2010 Consumer Reports, there were 50M
people paying $120-$300 yearly for identity theft protection.
These are the same people who are concerned about using higher
security to preserve their personal assets. It is likely they would
pay a little per month for better security and tolerate spending
more time if it meant less financial risk to them. Part of their willingness
to accept and pay for newer security may be to provide
options that have a positive user experience.
“Banks and financial services companies are increasingly
vulnerable to identity fraud, especially when users are accessing
accounts online,” said Tuck Ackerman, former FDIC senior examiner
and FFIEC program manager, who now serves as a consultant
to financial institutions.
In 2001, the FFIEC issued strong warnings to financial institutions
on the need for better authentication techniques for online
banking, with an emphasis on the need for a third component
to better identify the person as the true authorized user. In 2005,
they issued guidance requiring this additional authentication by
the end of 2006; and, in 2011, a third and stronger warning as
supplemental guidance was issued.
“The industry has been slow to adapt, primarily because of
the expense for additional hardware to better identify the person,
and more importantly, the perceived inconvenience and
lack of consumer desire,” Ackerman said. “The use of biosignatures
is a significant leap forward not only in security, but in
the ease-of-use and customer acceptance category. Since users
do not require any additional hardware or software, they can
continue to access their accounts using basically the same process
they have been accustomed to for over a decade, and that
should translate into a high rate of user acceptance and satisfaction.
This is an especially exciting breakthrough for community
banks and credit unions.”
Biosignatures provides a solution that is easy-to-deploy, far
less expensive and matches the more complicated security features
offered by larger banks, while enhancing customer service
with additional security and no inconveniences.
Tracking Down the Invaders
Going one step further, the latest biometric authorization systems
utilize audit trails to uncover suspicious activity by pinpointing
the time, date, physical location and even the IP address of an
unauthorized user who tries to access an account.
“Through continuous and randomized forensic checks via
neural net technology, we can uncover fraudulent activity, like ‘is
the same IP address used for log-in all the time or does it come in
every once in a while from China or Romania?’” Maynard said.
“We then bring this ‘red flag’ to the attention of the company
whose customers we authenticate.”
The ability to provide evidence of all the events surrounding
the authentication activity not only provides a powerful tool to
combat fraud, but also ensures compliance with evolving regulations
that portend to mandate stricter standards of identity
authorization.
This article originally appeared in the May 2014 issue of Security Today.