Strength Meets Precision

The need for strong authentication, when it makes sense

Across the globe, online criminals are focusing funds, time and resources to perpetrate fraud—and they are becoming more and more adept at this process. The result has been a dramatic increase in online fraud that targets consumers, enterprises and citizens. Every data breach or identity-theft case reported in the media erodes the public's confidence in the security of online financial transactions. This loss of confidence could jeopardize the ability of organizations to conduct transactions online.

Today, a wide variety of organizations offering online services face increasing pressure to defend against phishing, man-in-the-middle attacks and other criminal activities that ultimately focus on defrauding people and businesses.

More Attacks, Billions Lost

Identity-related online attacks, such as account hijacking, are among the world's fastest-growing crimes. Compromise of a user's online identity can allow an attacker to gain access to a victim's online information, including bank accounts. Once access to the victim's bank account is gained, criminals typically will work toward the transfer of funds, as well as take advantage of access to more personal information that may be useful in the future to perpetrate other crimes.

This type of identity fraud is alarming since the perpetrator need not reside in the same region as the victim, nor need direct access to any physical documentation. From virtually anywhere in the world, thieves need only to trick a user into surrendering his or her password, and the rest is a simple process to execte online fraud.

Although stronger authentication policies are becoming more common, reliance on simple passwords in the majority of online transactions allows identity fraud to thrive. Two major forms of online identity attacks clearly demonstrate the frailty of password-only authentication schemes. Phishing and man-in-the-middle attacks rely on the use of "spoofed" e-mail messages and other techniques to direct users to fraudulent Web sites where passwords are stolen. By fooling victims into divulging usernames and passwords, attackers gain access to the victims' accounts. Man-in-the-middle and malware attacks use different, more invasive techniques to steal the user's identity, but they are still typically initiated with phishing e-mails.

These attacks are possible due to inherent weaknesses in password-based, singlefactor authentication. Once an online thief observes the user's name and password, he has all he needs to access the victim's online account. Unlike traditional forms of identity theft, an online attack only needs to reach a small percentage of users to result in the compromise of a significant number of user identities.

Most online organizations provide some—or in the case of some retail banks, complete—reimbursement for losses from these types of attacks. This leads to significant cost to these organizations and inconvenience for end users as the bank investigates. These costs alone provide valid business rationale for addressing the issue immediately. However, this is not the most significant impact or risk from online identity fraud.

Consumer Confidence

Organizations continue to seek methods to help stop persistent fraud attacks on invaluable information, customer identities and brand image. Because of cost, apathy or arrogance, many are still not taking the appropriate precautions.

According to the fourth annual "U.S. Cost of a Data Breach Study," based on research released in February 2009 by the Ponemon Institute, the average total perincident cost for a data breach in 2008 was $6.65 million. This represents an increase of more than $300,000 per incident in 2007 and a 40 percent jump since the study's inception in 2005.

On Jan. 20., Heartland Payment Systems, a New Jersey-based credit card processing company, announced that as many as 100 million customer accounts may have been compromised after malicious software enabled a security breach in its payment processing system. The breach, which Heartland said it discovered in October 2008, is another example of an organization not implementing the proper security solutions that could help prevent fraud. Three men were arrested in Florida after trying to imprint the stolen data onto fake Visa gift cards, but investigators still believe a more organized criminal element in eastern Europe is behind the data breach.

As online identity attacks have become more prevalent, a significant number of users have decreased or discontinued online transactions, particularly in the financial sector. It is inevitable that users will continue to be less willing to take the risk of using online services without better protection of their online identity. This leaves organizations subject to two negative impacts: increasing costs of attacks that drive directly to the corporate bottom line and limited online service use, impacting both costs and revenue generation. Meanwhile, there is a significant reward for organizations that address this issue and provide their users with better protection of their online identity—based on retaining existing customers, as well as having them transact more business in the cost-effective online world.

Who Can Help?

Numerous security vendors have stepped forward with proposed solutions to this important problem. Logically, the intent of online security is clear: to better protect people and businesses from online crime. However, the implementation details are seemingly complex and difficult to comprehend. Around the globe today, organizations struggle with the question, "Where should we begin?"

Protecting the corporate brand, safeguarding customers and meeting the appropriate regulations are now primary concerns. To properly address them, organizations should partner with proven security vendors that offer a balance of affordability, service and expertise.

The first step of this process is a thorough review of online activities and risk assessments to better understand what is really required for both authentication implementing a strong authentication solution that can be leveraged based on risk across multiple applications and user communities. Institutions also must strategically acquire and deploy additional online safeguards, including coupling online fraud detection with a range of multifactor authentication capabilities.

Security threats will continue to evolve, and organizations must develop solutions that can adapt to future challenges and protect consumers for the long term. Developing a strategic vision for securing online transactions means making security choices that will address today's requirements and can adapt to help meet tomorrow's challenges.

Strong Authentication

The combination of a strong authentication platform with an online fraud detection solution can help organizations meet the challenges of online fraud. Modern strong authentication solutions can leverage risk assessment to determine the appropriate level of authentication. For example, a user checking her account balance from home has a different risk profile than someone attempting an interbank transfer from a foreign country.

Organizations should deploy a solution that is flexible and secure, as defined by Gartner as a Versatile Authentication Server. Leveraging a solution like this enables organizations to choose from a variety of strong authentication methods that best align with the risk of a given transaction. This allows authentication to be only as invasive as required by the risk to improve user acceptance.

A strong authentication solution simplifies the risk remediation process by allowing organizations to establish a clear risk-driven authentication policy. First, organizations can quickly establish policy around which transactions are considered higher risk, independent of user context. Organizations also can use authentication as an input to and output from their application's fraud detection capability.

A capable strong authentication platform should support a variety of authentication methods such as IP-geolocation, device identity, grid cards, digital certificates and a range of one-time-password tokens. As an open platform, it should be able to expand and adapt to help security needs today and in the future.

Complementing the strong authentication platform, the fraud detection solution should defend against fraud attacks without impacting the user or existing applications. It should be a cost-effective solution that can be rapidly deployed to all users and is interoperable with the given versatile authentication platform.

An additional component of this equation is the ability to leverage an open fraud intelligence network, which is an information-sharing service designed to combat online fraud by consolidating and sharing key fraud behavior patterns and data among network participants. It is focused on providing participating members the latest fraud behaviors and tactics, as well as key data for detecting and combating fraud as it evolves.

This article originally appeared in the May 2009 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety