How would you like to be invisible? From The Invisible Man through Lords of the Rings to
Harry Potter, the concept of not being seen fascinated people.
Invisible security, on the other hand, is a bit counter intuitive. I mean, you've got to see it – touch it, preferably – in order to feel secure. Surly 2-factor authentication tokens, for example, are more secure than anything invisible?
Well, the truth is that visible security has its limits. Fraudsters, when presented with a visible barrier to pass, change their tactics and find clever new ways to breach that new security. No code-breaking, mind you: today they typically use a combination
of basic technology and shrewd social engineering to trick users into passing the authentication for them.
Take challenge-response authentication as an example. What was once considered robust security is easily defeated these days using a simple Man in the Middle phishing kits you can launch for a few dollars.
Even with the crude malware available today – which, mark my words, is middle ages compared to what we’re about the see in the next decade – the most sophisticated visible security can be beaten to a pulp. It requires a certain level of creativity, some
social engineering – but if you build it, they will come. An Arms Race will develop.
On the other hand, invisible security – things that are done behind the scenes to protect the consumer – is far more difficult for the fraudsters to counter. If there’s no physical obstacle to overcome, no clear authentication challenge, this can befuddle
fraudsters attacking financial institutions and similar targets. Are you making decisions based on the user’s device fingerprints? His IP address Geo-location? The amount of the money transfer, if that’s the way the fraudster chooses to empty the victim’s
bank account? Some other parameters?
Well, since you’re not planning to make it public, it’s quite difficult for the fraudster to figure it out. I can already tell you I omitted some pretty indicative factors from the list above. So rather than developing an Arms Race, you start a
Guess Race. A battle of wits.
Which is what many banks are doing these days. Harry Potter technology. Security with a Cloaking device. They deploy behind-the-scenes monitoring of logins, transactions and eCommerce purchases. They assess the individual risk of each activity. Then they
make a decision, which can be to allow the activity to continue, to stop it, or delay it until it is properly reviewed. They may also decide to challenge the user with extra authentication for this particular activity (this is known as Risk Based Authentication).
The good news is that unlike visible authentication, invisible security is easy to tweak. The behind-the-scenes defenses are very flexible. This means the bank now has the advantage of quickly changing your invisible tactics.
The bad news is that it’s invisible not just to the fraudster, but also to the consumer. “Is this all the security you have?” you might be asked by the savvy customer.
Well, telling the consumers that they should feel safe and secure without showing them
how, is a bit like expecting people to believe in an invisible god when they have a whole pantheon of extremely visible gods to choose from.
This makes the case for using BOTH visible and invisible authentication. Something visible or tangible the customers can see, appreciating the extra effort you’ve made to protect them; and something invisible that will add a transparent, effective and flexible
protection layer against current and future fraud trends.
Not everyone cares, by the way. Customers say they want extra security, but at the same time all they really care about is being able to complete their eCommerce transaction, their online banking session, with as little hassle as possible. I would say that
only 10%-20% of customers are savvy enough to actually appreciate visible security, 10%-20% will look with horror at whatever authentication device you sent them through the mail, and the other 60%-80% won’t really care either way. They just expect you to
protect them, and how you do it is basically your problem.
Still, it’s worth considering both approaches – the visible and invisible one – and certainly not rely just on visible security, even if it seems like a silver bullet. They don’t exist.