The New Front Line in Defending Against Online Threats
Feb 12, 2007 4:00 AM PT
The Internet has presented previously unimaginable opportunities for enterprises of all types, including financial services institutions. Online transactions are at an all-time high as enterprises enthusiastically cultivate the Internet as a vital sales channel.
Careful examination of consumer behavior, however, may reveal the first signs of trouble ahead.
A continual cadence of high-profile security breaches involving unauthorized access to sensitive personal data as well as a growing incidence of online fraud through tactics such as phishing and pharming attacks appear to be eroding consumer confidence in e-commerce, including consumer use of financial services Web sites.
Some online banking customers are changing their usage patterns, according to a 2005 Gartner survey of 5,000 U.S. adults, including logging in less frequently and no longer using online bill payment services.
This trend is troubling for the highly competitive financial services industry, which increasingly looks to the Internet as a panacea that will enable institutions to improve service while lowering operational costs.
In addition, the Ponemon Institute, a research and education organization focusing on information and privacy practices, revealed in its "2006 Privacy Trust Study for Retail Banking" that banks are only one or two security breaches away from losing customers -- with 34 percent of respondents indicating that they would transfer their funds after a single security breach.
The message to financial services organizations is clear -- a more comprehensive approach to security is critical to the continued success of the online channel.
A layered approach to solving security problems -- one that addresses physical security of the data, security of the IT infrastructures on which the data sits, as well as security of the data as it flows between systems and organizations -- is generally considered the most effective approach.
Financial institutions have already implemented numerous security measures to address everything from physical access to single sign on and provisioning. Rapid escalation of phishing, pharming and man-in-the-middle attacks, however, are forcing them to focus on the role of identity authentication in their overall security infrastructure.
Identity authentication is the new front line in the security battle. Early market efforts primarily focused on access versus authentication. Thus, as long as an individual had the appropriate pin/password or token to enter, he or she would be granted access. This approach is short-sighted, as companies need to understand and vet credentials for how they were granted before they can rely on them.
Technology-based identity access solutions -- which are often stand-alone -- are no match for the modern hacker. To have the flexibility to respond to new types of fraud and subsequent regulations, today's financial services organizations require an infrastructure that provides globally accepted policies, legally binding contracts and consistency of operations. This enables the access provided by the point solutions to be given -- in a standardized way -- to identities issued by financial institutions around the world.
The benefits of a comprehensive identity infrastructure encompass more than protection from criminals and the continued expansion of e-commerce. They also include the ability to conduct e-business globally, uncover new revenue opportunities and achieve new operational efficiencies.
A global identity authentication infrastructure, for example, enables organizations of all types, including financial institutions, to rely on the authenticity of digital signatures for purchase orders, invoices, compliance and other documents, and to finally automate the last part of the supply chain.
Using such an infrastructure, financial institutions can leverage their position as a trusted third-party in the traditional offline world and offer new, fee-based services as a third-party issuer of digital certificates in the online world. Banks are in a unique position to offer these certificates as customers already trust them with their personal and financial information. As such, they can issue the certificates using customer information that they already have on file in order to meet U.S. Patriot Act requirements. This approach allows bank customers to limit how many third parties have their personal or corporate information.
With a global identity authentication infrastructure in place, multi-national corporations that must manage relationships with financial institutions around the world can open and close accounts electronically. Conversely, financial institutions have full confidence that their digital signatures are secure and have not been compromised.
Many Options, Few Complete Solutions
Understanding why previous approaches to identity authentication have not been as successful as they could have been enables financial institutions to implement an identity infrastructure that bypasses many challenges.
Public Key Infrastructure (PKI) has been successfully implemented within many large enterprises, showing promise with its ability to legally bind signatures through digital authentication. However, few business applications require identity authentication with digital certificates and signatures.
While a robust technology, PKI implementations have historically resulted in fragmented, siloed security and identity management systems that did not easily support interoperability. To deliver true value, a PKI-based infrastructure must have interoperability both with other systems and with other countries' government-mandated schemes. Additionally, users must be able to rely on the policies and procedures used for issuing the certificates.
- Two-factor authentication couples a password with another type of identification. This method, however, is not a certain solution. For example, it has proved to be unsuccessful at thwarting man-in-the-middle attacks because fraudulent sites can be inserted into the workflow through techniques such as phishing or hacking into the link between the user and their ISP, thus compromising the data being transferred.
One of the most effective approaches to identity authentication is the use of a secure individual device, such as a smart card or token, that authenticates and validates the user.
It has been argued that this approach has several challenges, including consumer resistance to using a token and the cost of issuing and replacing security devices. However, these arguments are no longer valid. Devices such as iPods and other gadgets that make use of USB ports are common and can easily serve double-duty as security devices.
Solving the Identity Management Puzzle
A majority of identity management solutions provide only one piece of the puzzle. What is needed today is a phased approach to identity authentication that will expand and strengthen as required, rather than a solution that works briefly but must then be retrofitted to protect against more sophisticated attacks.
Solutions that simply authenticate the user to the site, and not who the user really is simply do not guarantee a trusted infrastructure, and only meet basic compliance with Federal Financial Institutions Examination Council (FFIEC) guidelines and other regulations. To provide the highest level of protection, multi-factor authentication must be performed across all levels, using a single, comprehensive solution that cross-authenticates the user with the site, and secures the two through digitally-issued certificates.
Also critical are the ability to sign both the data and the container in which it is sent and the capability to validate certificates against a real-time updated list that indicates whether or not the certificate has expired or been revoked.
Traditional solutions focus on a single method of authentication and then combine it with a PIN or password to meet the multi-authentication guidelines. PKI based approaches, in conjunction with a second authentication method -- hard or soft tokens -- combines two strong authentication approaches, thus providing the strongest authentication.
A comprehensive system for identity authentication also requires policies, legal infrastructure, operational consistency and technology for access that users can rely upon. Of special importance are procedures and guidelines that work across multiple institutions and geographic borders.
For identity authentication to really provide the trusted environment that both corporate and retail customers require for doing business, the legal framework must be acceptable and enforceable both domestically and across borders. Otherwise, a corporation or its financial institution could face the prospect of adjudicating disputes in jurisdictions around the world.
A comprehensive solution establishes and cooperates with various legal infrastructures in conjunction with the identity authentication solutions themselves -- a process that can be difficult and costly for a corporation or its financial institution to create and maintain. As important, a hosted infrastructure offers the scalability to rapidly introduce new security features to respond to new types of crime and regulations.
While financial services organizations have made significant investments in IT security, they must now turn their attention to the next frontier -- comprehensive identity authentication. The assurance that both parties in a transaction are secure is an essential element to thwarting the e-crime and online fraud that threatens to stop the growth of e-commerce in the financial services industry in its tracks.
Andrea Klein is chief marketing officer at IdenTrust.