Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
A criminal logs on to your systems, carries out a fraudulent high-value transaction and disappears into the ether. That nightmare scenario could end up costing your organization lots of money. So how do you prevent criminals from ripping off your organization in this way?
A good start is to make users take extra authentication steps to prove their identity before they can carry out high-value transactions, said Gartner research director Jonathan Care.
Identity Authentication Issues
A common extra step is to use knowledge-based identity authentication: Ask the user for a piece of information in addition to their password that only they should know, such as a notable date. But knowledge-based identity authentication fails between 10 and 15 percent of the time, said Care, noting that most people who fail this step are not criminals but legitimate users who can't remember the correct answer.
Users are unlikely to forget some types of information such as their mother's maiden name or the name of their pet, but this type of information is also easy for fraudsters to obtain from social networks such as Facebook.
Another common step is to use one time password (OTP) systems or out-of-band authentication via SMS messages for identity authentication. But these can also be circumvented by criminals relatively easily, Care said.
Slowing Down Security Processes
A better solution, he suggested, is to slow down high-value or risky transactions. This provides you with more time for more detailed identity authentication.
One way to do this is to initiate a call back to the user, and then check voice biometrics to see if the voice matches a blacklist of known fraudsters. If the user has previously enrolled their voice biometric this can also be used to validate that they are who they claim to be.
Another way is to initiate a letter which is posted to the user's home address, requesting documents (such as a certified copy of a passport).
A third possibility is to get the user to call your organization to talk to security staff. "If a transaction seems risky, why not use a dedicated fraud analysis team? Get the user to talk to your trained experts to verify that they are who they claim to be," Care said.
For some high-value transactions, it may even be worth organizing a face-to-face visit. "Where the transaction has a high possibility of loss or bad PR, a live face-to-face visit can be a good way to slow a transaction down," Care said.
Slowing down a transaction in these ways makes sense when it is judged to be high risk, but the real goal is to provide high security with low friction so legitimate users can carry out transactions quickly and with a minimum of hurdles to navigate.
4 Types of Identity Authentication
How do you do that? Care suggests using a combination of four layers of identity authentication:
- Layer 1: Endpoint centric
- Layer 2 Navigation and network centric
- Layer 3 User data centric
- Layer 4 Linkages
Endpoint centric proofing includes geolocation, which can raise a flag if a user purports to be logging in from their home in New York when the device's IP address is in China, for example. Device fingerprinting is another endpoint centric technique. It can be used to warn you when a user attempts to log in with a device that has not been used before, or if the same device is used to apply for many accounts.
Navigation and network centric techniques are slightly more complex and involve analyzing network and session behavior. By analyzing mouse movements, time between clicks and time spent on each Web page, for example, it may be possible to match this behavior with previous behavior from a legitimate user. It can also be used to tell if a user is behaving like a human or is likely to be a bot.
This layer can also raise a red flag when network behavior is suspicious - for example, if different IP addresses connect within a short period but display similar session behavior - raising the possibility that a bot is connecting.
The user centric identity authentication layer leverages personally identifiable information held by your organization or available from public records, credit bureaus and watch lists.
You can also take advantage of external data sources like social networks to get useful information about people, Care said. "You can look to see who they are connected to, and check if the depth of their social profile indicates they are a real person. Fake profiles also often link to other fake profiles."
The final layer looks at linkages between the previous layers, checking for consistency between a person, their phone number and email address, their physical address and IP address, and so on, to try to establish the risk of doing business with that individual.
Identity Authentication Recommendations
If you lack the resources to integrate your own security solution from the various point products on the market, Care recommended using a "one stop shop" solution that uses Layer 1 (endpoint) and Layer 3 (user data). Companies in this space include Trusteer, Featurespace and Shape Security.
Layers 2 (navigation and network) and Layer 4 (linkages) can be added later to help detect more advanced attacks if necessary.
For any identity authentication system to be workable, it's important that your staff aren't overwhelmed handling cases where users need additional validation. For that reason Care recommended a risk-based approach where fewer than 5 percent of transactions require user interaction and validation.
And finally, he pointed out that thanks to countless high impact security breaches, many people's Social Security numbers and other private information is now easily available and therefore unsuitable to use as an identifier.
"Be careful with your exception processes, as this is where fraudsters will attack," he said.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.