The Trend Skeptic: Regulations Have Fixed Authentication

By Jeff Vance

(Back to article)

What was your high school mascot? In what town were you born? What was the make and model of your first car? If you do enough online banking, you’ve encountered these questions, and that’s bad news for security.


Fortunately, these “challenge” questions usually serve fairly benign purposes. They don’t often let you retrieve a password (if they do, you should shut the account down) but they act as a secondary or tertiary form of authentication. For instance, when banks use “soft” forms of two-factor authentication, such as secure cookies, these questions merely fill the gap in the event that the cookie has been removed.


For you tech geeks out there who constantly purge your PCs of temporary files and cookies, you’re more likely than most to be shuffled to weaker forms of authentication. The trouble is these questions are a heck of a lot easier to figure out than passwords.


Have you heard of MySpace? You’ll find plenty of information about home towns, cars, pets and other personal details that security questions ask about. What about those $20 public records searches advertised on Google?  If I can figure this stuff out in my role as an armchair tech skeptic, imagine how easy these things are to crack for motivated cyber-crooks.


Is This Good or Bad?


These new forms of authentication were spurred on by the Federal Financial Institutions Examination Council (better known as the FFIEC) regulations, which required financial institutions to adopt multifactor authentication for online transactions. “Virtually all U.S. banks have some kind of enhanced authentication,” said George Tubin, senior analyst in Delivery Channels for the TowerGroup. “Ninety-five percent or so have something in place today, and we’re getting close to 100%.”


One of the drawbacks of the FFIEC legislation is it offers no guidance on how to achieve multifactor authentication. The mandate really just said to offer more than user names and passwords. Even so, the net effect has been overwhelmingly positive. “This is mostly anecdotal,” Tubin said, “I mean, banks won’t come out and say that they lost $12 million last year and only $6 million this year, but the reports are good. Fraud is down.”


Part of this is simple math—the barrier-to-entry mantra so familiar to emerging technologies. Raise the bar, even a bit, and you subtract the subset of criminals who have few skills; i.e., it’s harder for complete knuckleheads to rip you off. Similarly, due to the FFIEC, many attackers have shifted their focus, targeting other countries where standards are lax. Why bother with U.S. banks when it’s easier to crack those in, say, Eastern Europe?


Coming to a Data Center Near You


For enterprise IT, attackers moving elsewhere should be worrisome. As online banking security gets stronger, are you running the risk of being the Eastern Europe of U.S. industries? “Other industries aren’t moving as quickly as the financial sector, but many realize that user names and passwords aren’t nearly enough,” Tubin said. “There is a trickle-down effect.”


The trickle-down effect is troubling in its own right. If other industries adopt, say, challenge questions without realizing their limitations and risks, they could actually weaken security. Banks have found that challenge questions work best when asked to do little.


Then there is the money angle. Banks had to change. Regulations demanded it. Because of this, they could justify significant investments in security. Does your organization have the same mandate?


Even if you catch up with authentication, you could still be behind the curve when it comes to new types of fraud; making you an easy target as financial institutions improve their security profiles. Granted, your risks probably aren’t as steep as they are in the financial sector, but that could quickly change if attackers move from, say, consumer identity theft to corporate ID theft because it’s easier now.


Criminals are always using new techniques to get around strong authentication.


New Risks for the Enterprise


As the enterprise becomes more dispersed, relying on mobile workers, contractors, outsourced laborers and business partners, authentication is a glaring security weakness. The typical enterprise has not pursued multi-factor authentication as aggressively as, say, anti-spam solutions.

This isn’t necessarily a bad thing, so long as you don’t wait too long to act. For starters, if you’ve yet to move away from user names and passwords, you have the advantage of studying various multifactor solutions and seeing how well the work in the real world. However, a cursory look at new authentication techniques is often misleading. While consumer-facing authentication gets a lot of ink in the trade press, the real improvement in security happens behind the scenes.


Financial institutions rely on back-end authentication and fraud detection techniques as stronger security layers beyond the point of entry. Secure cookies and IP geo-location help further authenticate you, while things like in-session monitoring and transaction-level fraud detection offer protection even if a crook gets in.  


This is all part of what is being dubbed “risk-based authentication.” If you’re simply checking balances and paying the bills you pay at the same time each month, you’ll be left alone. If you try to shuffle funds overseas, you’ll be asked for much more stringent forms of authentication and, if you can’t provide it, your account will be locked down.


Risk-based Authentication for the Enterprise


Let’s apply risk-based authentication to a typical office setting, where most workers are in house, with a few on the road or working from home, along with some contractors and partners needing access to organizational networks.


For employees who come into the office, they should encounter fewer layers of authentication. After all, their very presence, especially if they have to show ID to get into the building, is a pretty strong form of authentication. For mobile workers, the bar will be higher with, say, secure cookies adding an extra layer. For contractors and partners, the authentication bar should be higher still.


What happens after this, though? Can you trust employees once they’re inside? What about that disgruntled worker passed over for a promotion? What about employees leaving the company? What about contractors who may work for a competitor in the future?


The most important lesson emerging from the financial sector is this: authentication works best when it works with behind-the-scenes complements like transaction monitoring.


Fraud detection today is targeted at banks, but as this sort of security matures, smart enterprises will adopt it too. They’ll seek out solutions that allow them to benchmark their employees’ online behaviors and then warn them when something is amiss. We’re already seeing things like data-leak prevention addressing this concern. It’s too soon to tell, but perhaps that technology will turn out to be the fraud detection of the larger enterprise space.


Jeff Vance has been writing about technology trends for more than 10 years. After editing two high-tech insider investment newsletters, Mobile Internet Times and E-Infrastructure Times, Vance founded Sandstorm Media in August 2003.