New Layers of Defense: ID Theft and Authentication, Part 2
Feb 25, 2007 4:00 AM PT
"It was the best of times; it was the worst of times." The oft-cited quotation from Dickens' "A Tale of Two Cities" seems apt when talking about the opportunity presented by digital communications and computing.
It has also ushered in a new breed of cybercriminal who tries hard to steal your personal information and use it fraudulently.
Online fraud and ID theft are perhaps two of the most alarming new possibilities. These threats are serious and widespread enough to have reached the halls of Congress and the Executive Office, as was illustrated in Part 1 of this two-part series.
Data Protection is No. 1
What are some of the new ways in which financial institutions and their technology providers are trying to better detect and prevent online fraud?
First, the best of times -- "2007 looks to be a year of tremendous growth for the next generation of security services over IP (Internet protocol) and Ethernet networks," said Ron Willis, president and CEO of CipherOptics.
"As more business information, content and customer data travels over these networks, the need for complying with data privacy regulations, protecting customer data and securely delivering subscription media will make data protection one of the hottest technology trends in 2007," he claimed.
The Worst of Times?
Despite the improvements, trade-offs are involved. One is technological -- the trade-off between rigorous, multilayered authentication and performance, mainly processing speed.
Another is economic: When does the need for businesses to eliminate cybercrime also risk losing customers and perhaps incurring legal action? "The industry is well supported by cryptography systems, if they are implemented properly," said Scott Mackelprang, vice president of security and compliance at Digital Insight.
"Encryption methods used in association with multiple factor authentication rely upon an industry standard. One example is secure sockets layered (SSL) encryption," he added.
"Industry solutions run the gamut and generally offer trade-offs between security and usability as well as cost," claimed Kerry Loftus, director of product management and authentication at VeriSign.
"Most secure is PKI (public key infrastructure), but client footprint is involved and usability can be an issue. 'One-time' dynamic passwords are in the middle-proven usability track record and congruent with password metaphors for consumers. They are also portable but do require some device present to generate the one-time password (OTP)," he noted.
"Least secure but usable are the image solutions, [in which] consumers register an image that is then presented to them when they log on to the Web site. These solutions can generate significant support costs, as they are new and require user intervention anytime a consumer is not at their registered desktop," he continued.
"Extended Validation SSL certificates provide much of the same site authentication benefits without the costs. They are accompanied with already consumer familiar images, like the VeriSign secured seal, so support burden is significantly less, as well," Loftus concluded.
Putting the latest multifactor authentication methodologies to good and proper use, however, requires some adroit management and follow-through both technologically and operationally. They require tight coordination with and among third-party security providers.
Another factor: last year's regulatory guidance from the U.S. government's Federal Financial Institutions Examination Council (FFIEC) has the banks' attention.
In 2006, the FFIEC required that banks and credit unions strengthen customer authentication measures for Internet banking transactions by year-end, said Digital Insight's Mackelprang.
"Maintaining a high level of security requires many layers of defense spread across systems, operations, the architecture and third-party partnerships. Digital Insight relies upon a variety of cryptographic encryption methods across our networks, lines of communication and interfaces to technology partners to protect our financial institution clients and their end users," Mackelprang explained.
In 2006, Digital Insight implemented a multifactor authentication solution for its consumer Internet banking and business banking clients in advance of the FFIEC's year-end deadline.
A Multilayered Approach
VeriSign has similarly developed and adopted a multilayered approach to identity protection that breaks down into four main components.
The first is a shared authentication network aptly named the VeriSign Identity Protection Network, or VIP. In addition to user name and password, the VIP risk engine monitors, logs and analyzes user behavior, device and network characteristics, geographic information and fraud intelligence to establish users' identities.
It can also verify the identity of the user via in-band and out-of-band intervention mechanisms such as an automated phone call or SMS message, according to VeriSign.
The second component is a two-factor authentication solution based on open standards defined by OATH, an industry-wide working group for authentication.
Fraud detection is the third leg. Using anomaly detection technology, the service monitors and detects fraudulent log-in and transactional fraud in real-time to enable risk-based authentication.
VeriSign's Fraud Intelligence Network is the fourth component of the system. "The Fraud Intelligence Network allows the sharing of critical fraud data and signatures across VIP-enabled Web sites of network members," Loftus claimed.