Strength Meets Precision
The need for strong authentication, when it makes sense
- By Steve Neville
- May 01, 2009
Across the globe, online criminals are focusing funds, time and
resources to perpetrate fraud—and they are becoming more and more
adept at this process. The result has been a dramatic increase in online
fraud that targets consumers, enterprises and citizens. Every data
breach or identity-theft case reported in the media erodes the public's
confidence in the security of online financial transactions. This loss of confidence
could jeopardize the ability of organizations to conduct transactions online.
Today, a wide variety of organizations offering online services face increasing pressure
to defend against phishing, man-in-the-middle attacks and other criminal activities
that ultimately focus on defrauding people and businesses.
More Attacks, Billions Lost
Identity-related online attacks, such as account hijacking, are among the world's
fastest-growing crimes. Compromise of a user's online identity can allow an attacker
to gain access to a victim's online information, including bank accounts. Once access
to the victim's bank account is gained, criminals typically will work toward the transfer
of funds, as well as take advantage of access to more personal information that may
be useful in the future to perpetrate other crimes.
This type of identity fraud is alarming since the perpetrator need not reside in the
same region as the victim, nor need direct access to any physical documentation. From
virtually anywhere in the world, thieves need only to trick a user into surrendering his
or her password, and the rest is a simple process to execte online fraud.
Although stronger authentication policies are becoming more common, reliance on
simple passwords in the majority of online transactions allows identity fraud to thrive.
Two major forms of online identity attacks clearly demonstrate the frailty of password-only authentication schemes. Phishing and man-in-the-middle attacks rely on the
use of "spoofed" e-mail messages and other techniques to direct users to fraudulent
Web sites where passwords are stolen. By fooling victims into divulging usernames
and passwords, attackers gain access to the victims' accounts. Man-in-the-middle and
malware attacks use different, more invasive techniques to steal the user's identity, but
they are still typically initiated with phishing e-mails.
These attacks are possible due to inherent weaknesses in password-based, singlefactor
authentication. Once an online thief observes the user's name and password, he has
all he needs to access the victim's online account. Unlike traditional forms of identity theft, an online attack only needs to reach
a small percentage of users to result in the
compromise of a significant number of
Most online organizations provide
some—or in the case of some retail
banks, complete—reimbursement for
losses from these types of attacks. This
leads to significant cost to these organizations
and inconvenience for end users
as the bank investigates. These costs
alone provide valid business rationale for
addressing the issue immediately.
However, this is not the most significant
impact or risk from online identity fraud.
Organizations continue to seek methods
to help stop persistent fraud attacks on
invaluable information, customer identities
and brand image. Because of cost,
apathy or arrogance, many are still not
taking the appropriate precautions.
According to the fourth annual "U.S.
Cost of a Data Breach Study," based on
research released in February 2009 by the
Ponemon Institute, the average total perincident
cost for a data breach in 2008
was $6.65 million. This represents an
increase of more than $300,000 per incident
in 2007 and a 40 percent jump since
the study's inception in 2005.
On Jan. 20., Heartland Payment
Systems, a New Jersey-based credit card
processing company, announced that as
many as 100 million customer accounts
may have been compromised after malicious
software enabled a security breach
in its payment processing system. The
breach, which Heartland said it discovered
in October 2008, is another example
of an organization not implementing the
proper security solutions that could help
prevent fraud. Three men were arrested
in Florida after trying to imprint the
stolen data onto fake Visa gift cards, but
investigators still believe a more organized
criminal element in eastern Europe
is behind the data breach.
As online identity attacks have become
more prevalent, a significant number of
users have decreased or discontinued
online transactions, particularly in the
financial sector. It is inevitable that users
will continue to be less willing to take the
risk of using online services without better
protection of their online identity. This
leaves organizations subject to two negative
impacts: increasing costs of attacks
that drive directly to the corporate bottom
line and limited online service use,
impacting both costs and revenue generation.
Meanwhile, there is a significant
reward for organizations that address this
issue and provide their users with better
protection of their online identity—based
on retaining existing customers, as well as
having them transact more business in the
cost-effective online world.
Who Can Help?
Numerous security vendors have
stepped forward with proposed solutions
to this important problem. Logically,
the intent of online security is clear: to
better protect people and businesses
from online crime. However, the implementation
details are seemingly complex
and difficult to comprehend.
Around the globe today, organizations
struggle with the question, "Where
should we begin?"
Protecting the corporate brand, safeguarding
customers and meeting the
appropriate regulations are now primary
concerns. To properly address them,
organizations should partner with proven
security vendors that offer a balance of
affordability, service and expertise.
The first step of this process is a thorough
review of online activities and risk
assessments to better understand what is
really required for both authentication implementing
a strong authentication solution that
can be leveraged based on risk across
multiple applications and user communities.
Institutions also must strategically
acquire and deploy additional online
safeguards, including coupling online
fraud detection with a range of multifactor
Security threats will continue to
evolve, and organizations must develop
solutions that can adapt to future challenges
and protect consumers for the long
term. Developing a strategic vision for
securing online transactions means making
security choices that will address
today's requirements and can adapt to
help meet tomorrow's challenges.
The combination of a strong authentication
platform with an online fraud
detection solution can help organizations
meet the challenges of online
fraud. Modern strong authentication
solutions can leverage risk assessment
to determine the appropriate level of
authentication. For example, a user
checking her account balance from
home has a different risk profile than
someone attempting an interbank transfer
from a foreign country.
Organizations should deploy a solution
that is flexible and secure, as defined
by Gartner as a Versatile Authentication
Server. Leveraging a solution like this
enables organizations to choose from a
variety of strong authentication methods
that best align with the risk of a given
transaction. This allows authentication to
be only as invasive as required by the risk
to improve user acceptance.
A strong authentication solution simplifies
the risk remediation process by
allowing organizations to establish a clear
risk-driven authentication policy. First,
organizations can quickly establish policy
around which transactions are considered
higher risk, independent of user context.
Organizations also can use authentication
as an input to and output from their application's
fraud detection capability.
A capable strong authentication platform
should support a variety of authentication
methods such as IP-geolocation,
device identity, grid cards, digital certificates
and a range of one-time-password
tokens. As an open platform, it should be
able to expand and adapt to help security
needs today and in the future.
Complementing the strong authentication
platform, the fraud detection solution
should defend against fraud attacks without
impacting the user or existing applications.
It should be a cost-effective solution
that can be rapidly deployed to all
users and is interoperable with the given
versatile authentication platform.
An additional component of this
equation is the ability to leverage an
open fraud intelligence network, which is
an information-sharing service designed
to combat online fraud by consolidating
and sharing key fraud behavior patterns
and data among network participants. It
is focused on providing participating
members the latest fraud behaviors and
tactics, as well as key data for detecting
and combating fraud
as it evolves.
This article originally appeared in the May 2009 issue of Security Today.