18 August 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 358,960Views 36Comments
Online Banking

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Why Security Guards Stopped me in Capitol Hill

26 October 2009  |  3200 views  |  0

It was a sunny day in Washington DC, and I headed towards Capitol Hill to speak at the Cyber Security Ecosystem briefing  organized by TechAmerica.

I almost didn’t make it: the security guards caught me red handed. I tried to smuggle an apple into the building.

It wasn’t a particularly big apple, mind you. It wasn’t an Apple notebook I failed to declare, just a normal apple. The one you eat. Green, with a bit of red flush.

Still it caused a minor alarm at Security, and I was courtly but firmly instructed to throw it away. Not inside the garbage bin that was inches away; I had to go back all the way outside of the lobby building, find a garbage can outside, throw the apple and report back to the queue. They pointed me to a sign saying no food is to be allowed in.

Why am I telling this story?

Because later that day I was asked by an advisor to one of the US senators how America fares in terms of fighting cybercrime. I thought it’s an excellent question, and said that I’ll divide it to two: the financial sector, and everything else.

The financial sector is in a pretty good shape compared to the rest of the world, I suggested. The reason is that financial organizations in the US operate under a set of very sensible regulations – called FFIEC Guidance – that on one hand tells them they should get a grip on online security and move away from user names and passwords, but on the other hand let them develop their own defense strategy rather than force upon them a specific authentication method.

The result of the FFIEC guidance, which required US financial organizations to comply by end of 2006, was that FIs in the US built flexible defense mechanisms and deployed the security principal of defense-in-depth. Most banks today use Risk Based Authentication (also known as Adaptive Authentication), which uses visible and invisible elements to secure customer accounts.

It could be that in a Wall Street sense, US banks took too many risks and didn’t manage risk well, but when it comes to security, the risk management done today is on the right track. Some banks still validate a user’s identity only during login, but many move to a transaction-level risk management which is the ultimate goal.

Using Risk-Based Authentication allowed financial institutions in the US to strike the desired balance between security, usability and costs.

But there was a second part to my answer. As a general statement, other, non financial verticals in the US did not change the way they manage the risk of unauthorized access into their users’ accounts. Lacking a regulatory drive and not feeling the same level of financial losses, American online services in the healthcare, government and retail sectors are at a disadvantage compared to similar services around the world.

This should change soon as many fraudsters turn their attention to the non-financial sectors. Already there are fraudsters fully aware of the value of the data they siphon off non-financial targets. This trend will only grow in the coming years and require all online services to adopt better protection, defense in depth and adaptive risk management controls.

What shouldn’t happen is moving from the current state of affairs to the opposite direction: reacting in panic and using the sledgehammer approach when the threat landscape changes. There will always be risks, and the challenge is managing them in a sensible way. Not stopping a guy because they have an apple in their laptop bag…

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3615 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  2971 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  21909 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3691 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts