Is That Really You? ID Theft and Authentication, Part 1
Feb 22, 2007 4:00 AM PT
Cybercriminals are as gung-ho about perpetrating online fraud as financial institutions and governments are dedicated to preventing it. As long as people send private, sensitive information and transactions over computer networks, the prospect of identity (ID) theft and subsequent online fraud will loom large.
It's not so much the number of people who have fallen victim to ID theft, but the potential for serious loss and the possibility that you or I will become the next victim.
However, if the business of protecting you and I continues apace, ID theft may become increasingly difficult for cybercriminals, even if they are armed with user names and passwords.
100 Million Identities
Taking advantage of the latest in PKI (public key infrastructure) cryptography, banking and financial services companies and security providers are taking a multifactor approach to authenticating users.
Authentication methods that depend on more than one factor can be more reliable and stronger fraud deterrents. For example, using a login ID and password is single-factor authentication. An ATM transaction, on the other hand, requires multifactor authentication: the user's ATM card combined with a secret personal identification number.
"Online banking transaction fraud is growing rapidly due to the huge amount of identity theft that has occurred in the last couple of years," Peter Relan, chief strategist at Entrust, told the E-Commerce Times.
"It is estimated by the Cyber Security Industry Alliance that over 100 million identities of Americans have been compromised to date -- and a significant portion of this further leads to online monetary fraud," Relan added.
According to the Privacy Rights Clearinghouse, more than 100 million notifications have been sent to individuals in the U.S. as per state disclosure notification laws, informing them that their personal information has been lost or stolen.
That's 100 million people who can be considered prime targets for ID theft and online fraud.
Bankers, brokers and the technology providers devote extensive amounts of time and money to detect and prevent such crimes, but the cybercriminals leapfrog over their efforts. With each leap, the good guys must stay ahead of the hacker -- technologically.
Financial institutions and security providers are employing evermore sophisticated tools to prevent cybercriminals from stealing confidential information and breaking into online banking and brokerage accounts.
These tools and methods include a combination of cryptographic network access keys, shifting passwords, unique personal identifiers and sophisticated behavioral algorithms.
Pumps and Dumps
A January Gartner research report links fraud losses and phishing threats directly to an erosion of consumer confidence in financial institutions and online transactions in general, noted Kerry Loftus, director of product management and authentication at Verisign.
Unauthorized access to user accounts is "a big threat to banks and financial institutions, and the best data that bears this out is Avivah Littan's January report published by Gartner ... I think this on top of last year's regulatory guidance from the FFIEC (Federal Financial Institutions Examination Council) has the banks' attention.
"Methods include e-mail scams -- such as 'pump and dump' attacks on brokerages -- as well as general phishing attacks designed to pull consumers' identity information. The proliferation of botnets has just given the bad guys an even larger channel to consumers to execute these attacks," Loftus told the E-Commerce Times.
In response to the growing problem, Entrust has introduced TransactionGuard, a product that offers organizations the ability to monitor all online activity and to obtain a complete picture of the behavior of all online users -- both legitimate and potential attackers.
In counterpoint to the regular and rightfully alarmist statistics about the growing absolute number of ID thefts and online fraud, similarly strong evidence suggests that such cybercrimes are actually decreasing.
In the latter case, the main cause of online fraud doesn't occur online but offline, through a combination of user complacency, carelessness and the activities of opportunistic, organized and tech-savvy criminals.
"According to numerous industry studies -- for example Javelin Strategy & Research's Identity Fraud Survey Report -- ID fraud has declined over the past four years, and only 8 percent of identity fraud has resulted from online information breaches, said Scott Mackelprang, vice-president of security and compliance at Digital Insight.
"The majority of fraudulent activity results from offline sources such as lost wallets or purses, stolen U.S. mail or friends and family. These are threats that can be directly prevented by users and are obviously not technological in nature. Nevertheless, given online banking's rapid growth and popularity, security is an important issue to deal with for the industry as a whole," Mackelprang noted.
Given the regular occurrence of highly publicized data breaches, losses and laptop theft at federal government agencies and departments, the U.S. government last year became more proactive about IT security.
Last June, the Office of Management and Budget (OMB) issued White House OMB M-06-16, an order giving all government agency heads up to 45 days to assess mobile data and remote access network systems security provisions and ensure that they are in full compliance with National Institute of Standards (NIS) security measures.
Other previous efforts, Congress's Sarbanes-Oxley legislation in particular, have had far-reaching ramifications for financial institutions with respect to the security, business processes and reporting systems they are now required to enforce.
"In 2006, the FFIEC required that banks and credit unions strengthen customer authentication measures for Internet banking transactions by year-end, said Digital Insight's Mackelprang.
"The guidelines for how this increased authentication was to be implemented were not method-specific, so there isn't a 'standard' method, but 'strong' or multifactor authentication (MFA), in some form or another, is now the norm," he added.