The Trend Skeptic: Regulations Have Fixed Authentication
What was your high school mascot? In what town were you born? What was the make and model of your first car? If you do enough online banking, youve encountered these questions, and thats bad news for security.
Fortunately, these challenge questions usually serve fairly benign purposes. They dont often let you retrieve a password (if they do, you should shut the account down) but they act as a secondary or tertiary form of authentication. For instance, when banks use soft forms of two-factor authentication, such as secure cookies, these questions merely fill the gap in the event that the cookie has been removed.
For you tech geeks out there who constantly purge your PCs of temporary files and cookies, youre more likely than most to be shuffled to weaker forms of authentication. The trouble is these questions are a heck of a lot easier to figure out than passwords.
Have you heard of MySpace? Youll find plenty of information about home towns, cars, pets and other personal details that security questions ask about. What about those $20 public records searches advertised on Google? If I can figure this stuff out in my role as an armchair tech skeptic, imagine how easy these things are to crack for motivated cyber-crooks.
Is This Good or Bad?
These new forms of authentication were spurred on by the Federal Financial Institutions Examination Council (better known as the FFIEC) regulations, which required financial institutions to adopt multifactor authentication for online transactions. Virtually all
One of the drawbacks of the FFIEC legislation is it offers no guidance on how to achieve multifactor authentication. The mandate really just said to offer more than user names and passwords. Even so, the net effect has been overwhelmingly positive. This is mostly anecdotal, Tubin said, I mean, banks wont come out and say that they lost $12 million last year and only $6 million this year, but the reports are good. Fraud is down.
Part of this is simple maththe barrier-to-entry mantra so familiar to emerging technologies. Raise the bar, even a bit, and you subtract the subset of criminals who have few skills; i.e., its harder for complete knuckleheads to rip you off. Similarly, due to the FFIEC, many attackers have shifted their focus, targeting other countries where standards are lax. Why bother with
Coming to a
For enterprise IT, attackers moving elsewhere should be worrisome. As online banking security gets stronger, are you running the risk of being the Eastern Europe of U.S. industries? Other industries arent moving as quickly as the financial sector, but many realize that user names and passwords arent nearly enough, Tubin said. There is a trickle-down effect.
The trickle-down effect is troubling in its own right. If other industries adopt, say, challenge questions without realizing their limitations and risks, they could actually weaken security. Banks have found that challenge questions work best when asked to do little.
Then there is the money angle. Banks had to change. Regulations demanded it. Because of this, they could justify significant investments in security. Does your organization have the same mandate?
Even if you catch up with authentication, you could still be behind the curve when it comes to new types of fraud; making you an easy target as financial institutions improve their security profiles. Granted, your risks probably arent as steep as they are in the financial sector, but that could quickly change if attackers move from, say, consumer identity theft to corporate ID theft because its easier now.
Criminals are always using new techniques to get around strong authentication.
New Risks for the
As the enterprise becomes more dispersed, relying on mobile workers, contractors, outsourced laborers and business partners, authentication is a glaring security weakness. The typical enterprise has not pursued multi-factor authentication as aggressively as, say, anti-spam solutions.
This isnt necessarily a bad thing, so long as you dont wait too long to act. For starters, if youve yet to move away from user names and passwords, you have the advantage of studying various multifactor solutions and seeing how well the work in the real world. However, a cursory look at new authentication techniques is often misleading. While consumer-facing authentication gets a lot of ink in the trade press, the real improvement in security happens behind the scenes.
Financial institutions rely on back-end authentication and fraud detection techniques as stronger security layers beyond the point of entry. Secure cookies and IP geo-location help further authenticate you, while things like in-session monitoring and transaction-level fraud detection offer protection even if a crook gets in.
This is all part of what is being dubbed risk-based authentication. If youre simply checking balances and paying the bills you pay at the same time each month, youll be left alone. If you try to shuffle funds overseas, youll be asked for much more stringent forms of authentication and, if you cant provide it, your account will be locked down.
Risk-based Authentication for the
Lets apply risk-based authentication to a typical office setting, where most workers are in house, with a few on the road or working from home, along with some contractors and partners needing access to organizational networks.
For employees who come into the office, they should encounter fewer layers of authentication. After all, their very presence, especially if they have to show ID to get into the building, is a pretty strong form of authentication. For mobile workers, the bar will be higher with, say, secure cookies adding an extra layer. For contractors and partners, the authentication bar should be higher still.
What happens after this, though? Can you trust employees once theyre inside? What about that disgruntled worker passed over for a promotion? What about employees leaving the company? What about contractors who may work for a competitor in the future?
The most important lesson emerging from the financial sector is this: authentication works best when it works with behind-the-scenes complements like transaction monitoring.
Fraud detection today is targeted at banks, but as this sort of security matures, smart enterprises will adopt it too. Theyll seek out solutions that allow them to benchmark their employees online behaviors and then warn them when something is amiss. Were already seeing things like data-leak prevention addressing this concern. Its too soon to tell, but perhaps that technology will turn out to be the fraud detection of the larger enterprise space.
Jeff Vance has been writing about technology trends for more than 10 years. After editing two high-tech insider investment newsletters, Mobile Internet Times and E-Infrastructure Times, Vance founded Sandstorm Media in August 2003.