Strength Meets Precision

The need for strong authentication, when it makes sense

Across the globe, online criminals are focusing funds, time and resources to perpetrate fraud—and they are becoming more and more adept at this process. The result has been a dramatic increase in online fraud that targets consumers, enterprises and citizens. Every data breach or identity-theft case reported in the media erodes the public's confidence in the security of online financial transactions. This loss of confidence could jeopardize the ability of organizations to conduct transactions online.

Today, a wide variety of organizations offering online services face increasing pressure to defend against phishing, man-in-the-middle attacks and other criminal activities that ultimately focus on defrauding people and businesses.

More Attacks, Billions Lost

Identity-related online attacks, such as account hijacking, are among the world's fastest-growing crimes. Compromise of a user's online identity can allow an attacker to gain access to a victim's online information, including bank accounts. Once access to the victim's bank account is gained, criminals typically will work toward the transfer of funds, as well as take advantage of access to more personal information that may be useful in the future to perpetrate other crimes.

This type of identity fraud is alarming since the perpetrator need not reside in the same region as the victim, nor need direct access to any physical documentation. From virtually anywhere in the world, thieves need only to trick a user into surrendering his or her password, and the rest is a simple process to execte online fraud.

Although stronger authentication policies are becoming more common, reliance on simple passwords in the majority of online transactions allows identity fraud to thrive. Two major forms of online identity attacks clearly demonstrate the frailty of password-only authentication schemes. Phishing and man-in-the-middle attacks rely on the use of "spoofed" e-mail messages and other techniques to direct users to fraudulent Web sites where passwords are stolen. By fooling victims into divulging usernames and passwords, attackers gain access to the victims' accounts. Man-in-the-middle and malware attacks use different, more invasive techniques to steal the user's identity, but they are still typically initiated with phishing e-mails.

These attacks are possible due to inherent weaknesses in password-based, singlefactor authentication. Once an online thief observes the user's name and password, he has all he needs to access the victim's online account. Unlike traditional forms of identity theft, an online attack only needs to reach a small percentage of users to result in the compromise of a significant number of user identities.

Most online organizations provide some—or in the case of some retail banks, complete—reimbursement for losses from these types of attacks. This leads to significant cost to these organizations and inconvenience for end users as the bank investigates. These costs alone provide valid business rationale for addressing the issue immediately. However, this is not the most significant impact or risk from online identity fraud.

Consumer Confidence

Organizations continue to seek methods to help stop persistent fraud attacks on invaluable information, customer identities and brand image. Because of cost, apathy or arrogance, many are still not taking the appropriate precautions.

According to the fourth annual "U.S. Cost of a Data Breach Study," based on research released in February 2009 by the Ponemon Institute, the average total perincident cost for a data breach in 2008 was $6.65 million. This represents an increase of more than $300,000 per incident in 2007 and a 40 percent jump since the study's inception in 2005.

On Jan. 20., Heartland Payment Systems, a New Jersey-based credit card processing company, announced that as many as 100 million customer accounts may have been compromised after malicious software enabled a security breach in its payment processing system. The breach, which Heartland said it discovered in October 2008, is another example of an organization not implementing the proper security solutions that could help prevent fraud. Three men were arrested in Florida after trying to imprint the stolen data onto fake Visa gift cards, but investigators still believe a more organized criminal element in eastern Europe is behind the data breach.

As online identity attacks have become more prevalent, a significant number of users have decreased or discontinued online transactions, particularly in the financial sector. It is inevitable that users will continue to be less willing to take the risk of using online services without better protection of their online identity. This leaves organizations subject to two negative impacts: increasing costs of attacks that drive directly to the corporate bottom line and limited online service use, impacting both costs and revenue generation. Meanwhile, there is a significant reward for organizations that address this issue and provide their users with better protection of their online identity—based on retaining existing customers, as well as having them transact more business in the cost-effective online world.

Who Can Help?

Numerous security vendors have stepped forward with proposed solutions to this important problem. Logically, the intent of online security is clear: to better protect people and businesses from online crime. However, the implementation details are seemingly complex and difficult to comprehend. Around the globe today, organizations struggle with the question, "Where should we begin?"

Protecting the corporate brand, safeguarding customers and meeting the appropriate regulations are now primary concerns. To properly address them, organizations should partner with proven security vendors that offer a balance of affordability, service and expertise.

The first step of this process is a thorough review of online activities and risk assessments to better understand what is really required for both authentication implementing a strong authentication solution that can be leveraged based on risk across multiple applications and user communities. Institutions also must strategically acquire and deploy additional online safeguards, including coupling online fraud detection with a range of multifactor authentication capabilities.

Security threats will continue to evolve, and organizations must develop solutions that can adapt to future challenges and protect consumers for the long term. Developing a strategic vision for securing online transactions means making security choices that will address today's requirements and can adapt to help meet tomorrow's challenges.

Strong Authentication

The combination of a strong authentication platform with an online fraud detection solution can help organizations meet the challenges of online fraud. Modern strong authentication solutions can leverage risk assessment to determine the appropriate level of authentication. For example, a user checking her account balance from home has a different risk profile than someone attempting an interbank transfer from a foreign country.

Organizations should deploy a solution that is flexible and secure, as defined by Gartner as a Versatile Authentication Server. Leveraging a solution like this enables organizations to choose from a variety of strong authentication methods that best align with the risk of a given transaction. This allows authentication to be only as invasive as required by the risk to improve user acceptance.

A strong authentication solution simplifies the risk remediation process by allowing organizations to establish a clear risk-driven authentication policy. First, organizations can quickly establish policy around which transactions are considered higher risk, independent of user context. Organizations also can use authentication as an input to and output from their application's fraud detection capability.

A capable strong authentication platform should support a variety of authentication methods such as IP-geolocation, device identity, grid cards, digital certificates and a range of one-time-password tokens. As an open platform, it should be able to expand and adapt to help security needs today and in the future.

Complementing the strong authentication platform, the fraud detection solution should defend against fraud attacks without impacting the user or existing applications. It should be a cost-effective solution that can be rapidly deployed to all users and is interoperable with the given versatile authentication platform.

An additional component of this equation is the ability to leverage an open fraud intelligence network, which is an information-sharing service designed to combat online fraud by consolidating and sharing key fraud behavior patterns and data among network participants. It is focused on providing participating members the latest fraud behaviors and tactics, as well as key data for detecting and combating fraud as it evolves.

This article originally appeared in the issue of .

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities