Raising the Bar

Gaining acceptance is a means for preventing online fraud

  • By Allison Armstrong
  • Mar 01, 2009

With every successful breach of Internet security, we learn the same lesson: there is no silver-bullet solution to prevent online fraud. Attackers are relentless innovators, single-minded in the pursuit of a breach.

Security professionals have long understood that any single factor—like a password—can be spoofed. Even security tokens, considered by some to be 100 percent reliable, can in fact be passed around, phished, lost or stolen.

Risk-based authentication is widely adopted in the financial services industry and is now gaining acceptance as a means for preventing online fraud. Risk-based authentication addresses the increasing complexity of threats by applying multiple factors to score the likelihood that a user is who he or she claims to be online.

Risk-based authentication has typically focused on assessing location and device as proxies for the user. Previously, there were no direct means to confirm the user, so security vendors have invented substitute methods that take the IP location, device signature or certificates as a substitute.

The problem with proxies in risk-based authentication is that they aren’t the user and can be used to spoof the security system. Attempting to plug this hole leads to other issues, including that many riskbased systems tend to exhibit a high falsepositive rate and proxy-based authentication is vulnerable to collusion, social engineering and account sharing fraud.

The solution might be to add a solid, user-level form of authentication that doesn’t depend upon proxies but also doesn’t require the cost and cumbersome implementation of physical biometric solutions.

Authentication Shrinks the Attack
Each authentication layer—network, device and user—is strong in blocking certain attacks but less effective against others. Any single defense is vulnerable to a particular line of attack. The most effective security combines factors at all three layers to provide the most resistant posture.

The network layer uses login IP addresses and their geographical origination points as a proxy for users. However, network-layer authentication alone isn’t capable of verifying the identity of a user. Similarly, device signatures verify the hardware as a proxy for the user, matching a known device signature with the current attempt. But what if the user’s laptop has been compromised, along with cached passwords?

The network and device authentication layers have limitations in blocking collusion, social engineering or accountsharing fraud.

New Frauds, New Responses
There are attacks that cannot be prevented by the network and device layers. As long as they are viable avenues for fraudsters, the attack surface remains a broad and inviting target.

Collusion. When willingly surrendered to a collaborator, credentials are a particularly damaging weapon against the systems they were meant to protect. Collusion destroys the very revenue stream of software and information service providers, when legitimate users invite others to use the service by riding in on their username and password.

Corporate social engineering. The same goes for the betrayal of trust inherent when a disgruntled executive assistant uses the boss’ own access codes to foment mischief. A coworker grabs a token and is able to compromise critical controls.

Friends and family social engineering. A child uses a parent’s work account or a friend steals a bingo card, token or security device. In one real-life example, the son of a real estate agent used his father’s password to log into privileged information on the MLS. The teen could discern which homes were vacant, and threw large, destructive parties in the homes.

How does an organization raise the bar to mitigate these threats? The answer is to integrate the network and device authentication factors with a user-centric layer, reducing the attack surface. In addition to authenticating at the device and network layer, AdmitOne Security Suite employs a user layer capable of detecting a user’s unique “typing signature.” Using keystroke dynamics, the user layer is able to mitigate threats from collusion, account sharing and social engineering and is able to work in concert with other factors to reduce the threat from additional attack vectors.

Keystroke Dynamics
While typing a string of characters in a password for example, every person exhibits a series of timing events—a typing signature. The measurement and comparison of user-specific typing rhythms is called keystroke dynamics.

The raw measurements of a user’s typing rhythm can be recorded from almost any keyboard to determine related metrics like dwell time and flight time. These and other timing measures form a series of mathematical data representing a user’s typing signature or template. AdmitOne’s patent-pending algorithms compare this data to previous attempts and calculate a confidence score that the user is who he or she claims to be.

Keystroke dynamics cannot be lost or easily stolen. It is portable and permanent with users, and cannot be carelessly “loaned” to another. This proven technology is recognized by analyst organizations as an important addition to enterprise security systems.

This article originally appeared in the issue of .

Featured

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

  • The Impact of Convergence Between IT and Physical Security

    For years, the worlds of physical security and information technology (IT) remained separate. While they shared common goals and interests, they often worked in silos. Read Now

Most   Popular

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.