31 October 2014

PCarroll

Pat Carroll - ValidSoft

78 | posts 274,756 | views 40 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2579 views  |  0

The payments world is all abuzz about the potential of biometrics to solve many of the serious payment security issues we now face. Not only does biometric authentication – be it voice, iris or even Apple’s Touch ID finger print scanner - allow us the ability to finally kill or reduce the role of the dreaded and much maligned password, it opens up the possibility of deploying multilayered authentication schemes built around the unique “something we are” dynamic. 

Unfortunately, in light of significant recent cybercrime activities in Brazil and in Europe involving Man-in-the-Browser attacks one must ask, what good is the most advanced authentication technology when dealing with a fraud vector that simply leverages the authentication and targets the transaction instead?

For combating fraud, multifactor authentication is clearly part of the solution as it curtails the damage done by stolen credentials (such as login passwords or security questions). But in Brazil, we are witnessing the nearly boundless lengths that today’s cybercrooks will go to, utilizing vectors which have the potential to compromise the very underpinnings of transaction security.

The events in Brazil feature the Man in The Browser (MiTB) attack vector, and while not particularly new, it is increasingly insidious as its success is actually predicated upon the ability of the victim to prove their identity through whatever authentication layers or security schemes are employed by their bank or financial institution.

MiTB is a threat that infects a web browser by taking advantage of its security vulnerabilities to modify web pages, modify transaction content or insert additional transactions, all in a completely covert manner invisible to all involved parties (the consumer/end user and the host institution). Because MitB acts as a “Man in the Middle” it is able to intercept all transaction information regardless of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are utilized. MitB makes the sole reliance on ALL forms of authentication, even biometrics, completely irrelevant. Therefore, to protect consumers from becoming yet another cybercrime statistic, what is needed is not only user authentication, but true transaction verification.

While I have long been a vocal proponent of strong authentication, now more than ever, we all must look at how we fundamentally approach transaction security because authentication alone - even multifactor – is clearly not enough. Security vendors that will thrive in this space will focus on securing the complete transaction from both the strong authentication and transaction verification perspectives. 

In my view, the first step is to regain control via a “trusted channel” through increased utilization of Out of Band (OOB) communications – such as a trusted device like a mobile phone – that can be used to confirm transaction details and legitimacy. Combining Voice Biometrics authentication with transaction verification on this OOB channel provides the capability to counter sophisticated fraud vectors such as MitB, MitM, Call Forward, SIM Swap & Device Theft.

Second, and more importantly, the entire industry must approach transaction security through the adoption of best practices. Some examples of these best practices can be found in the Federal Financial Institutions Examination Council’s (FFIEC) Supplement to Authentication in an Internet Banking Environment, which details a number of framework recommendations regarding customer authentication, layered security and other controls for what it calls an “increasingly hostile online environment.”

While it is great to see organizations such as the FFIEC and others spurring-on the industry to push ahead on transaction security, we have a fragmented global banking industry that is not aligned on the issue and not presenting a unified front on transaction security and verification. It is encouraging to see an increasing number of strong authentication deployments (with, multifactor authentication critical to protecting our customers) yet until we view these factors as only part of the total security equation, we leave ourselves, and our customers, open to even more damaging and costly attacks.

 

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Chip and Signature, a Paradise Lost

28 October 2014  |  1642 views  |  2  |  Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  3031 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  897 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2500 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith