2014 shocked us all into the reality that no institution or organization, no matter how big or sophisticated, was immune to being “hacked” or “breached”. Towards the end of the year, we were all numbed into submission and the shock factor resulting from the headlines that continued to dominate, was replaced with an uneasy bewilderment.

Already this year, we have witnessed headlines concerning fraud at institutions like PayPal and XOOM where the CFO became a casualty of its $30m fraud. In the world of Virtual Currencies: fraud theft on a grand scale with the “loss” of 19,000 bitcoins from UK based Bitcoin Exchange, Bitstamp. Alongside this, the US IRS alerts folk that IRS paid some $5.2 billion in fraudulent identity theft refunds last year whilst preventing some $24.2 billion in attempted fraud - according to the Government Accountability Office (GAO).

No small wonder then that I am concerned that 2015 will see a continuation of the reporting of such breaches, but in a much broader and deeper manner. Unfortunately the majority of security architectures have not kept pace with the evolution of sophisticated fraud. The situation is so severe that in October last year it prompted the Director of the FBI, James Comey, to make the following statement regarding Chinese hackers: “…..There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese....”. I believe that the same could be said for sophisticated fraud and its impact on big US businesses.

Has the industry learned anything and is it finally coming to terms with the extent and scope of the problem? What of the FIDO Alliance, and specifically Google’s “new” Physical Two-Step Security Key (FIDO Token). In this day and age, is a new physical token the right approach to user authentication?

According to Google, the new Security Key is a physical USB that acts as a 2nd factor authentication “…that only works after verifying the login site is truly a Google website. Rather than typing a code, you just insert the Security Key into your computer’s USB port and tap it when prompted….”. The Security Key incorporates the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so its primary claim is that it will work with any website account login process that supports FIDO U2F. However, this does not mean that it will work with all websites, whether it’s a Google website or otherwise. It doesn’t.

Leaving aside the “token necklace” argument which is always a by-product concern of physical tokens, we need to be especially cognizant that today’s cybercrime is very sophisticated and comprehensive. Not only are personal computers, tablets and mobile phones routinely hacked, infected and otherwise compromised to steal a user’s personal data, the most insidious  threats come from fraud vectors such as Man-in-the-Browser (MitB) attacks which can render all forms of user authentication, even a physical Security Key, ineffective.

In fact, worse, since the token can engender a false sense of security for both the consumer and the bank. Trust is established in the relationship which of course creates a perception that any resulting transaction must of course be genuine. Wrong. The MitB thrives on such trust to perpetrate its crime, stealing personal information and credentials, manipulating the details of the transaction in real-time with such precision that whilst the customer believes (s)he is confirming the transaction visible on the screen, the bank/service provider is receiving an entirely different transaction that the fraudster wishes to take place. And there any countless variations of such malware available in the wild today, all custom built for a specific purpose.

Such fraud is possible since MitB is a threat that infects a web browser by taking advantage of its security vulnerabilities to modify web pages, modify transaction content or insert additional transactions, all in a completely covert manner invisible to all parties to a transaction. MitB acts as a sophisticated “Man in the Middle” and is capable of compromising all forms of user authentication.

When we first encountered MitB in 2007, we were shocked by the scope of the problem. Sadly, 7 years later, the full horror of such fundamental weaknesses in our core internet security architecture became apparent. 2014 will remembered for headlines concerning Heartbleed, POODLE, and many others that created global enterprise panic and a rush to produce patches and other “fixes”. In 2015, we need to understand that all authentication tools, be they passwords, Security Keys or even biometrics, are just tools, all necessary parts of a larger, multilayered authentication and transaction verification system. 

The blueprint for success is device trust and strong user and transaction authentication incorporating voice biometrics. The battle for the “token” is long over, the best “token” remains our smart phone, once the device is “trusted”. This platform provides the optimum environment for the implementation of a real-time, multi-layer, multi-factor security model. There, the layers are invisible and user and transaction authentication can be reliably committed through the application of voice biometrics. The resultant security model is very strong, available today in a totally integrated and indigenous format, is easy to use and virtually frictionless. Moreover it enables the capability for such a strong security model to be deployed across all the channels, to counter all known sophisticated fraud threats, including MitB.

Food for thought indeed!