It was a sunny day in Washington DC, and I headed towards Capitol Hill to speak at the
Cyber Security Ecosystem briefing
organized by TechAmerica.
I almost didn’t make it: the security guards caught me red handed. I tried to smuggle an apple into the building.
It wasn’t a particularly big apple, mind you. It wasn’t an Apple notebook I failed to declare, just a normal apple. The one you eat. Green, with a bit of red flush.
Still it caused a minor alarm at Security, and I was courtly but firmly instructed to throw it away. Not inside the garbage bin that was inches away; I had to go back all the way outside of the lobby building, find a garbage can outside, throw the apple
and report back to the queue. They pointed me to a sign saying no food is to be allowed in.
Why am I telling this story?
Because later that day I was asked by an advisor to one of the US senators how America fares in terms of fighting cybercrime. I thought it’s an excellent question, and said that I’ll divide it to two: the financial sector, and everything else.
The financial sector is in a pretty good shape compared to the rest of the world, I suggested. The reason is that financial organizations in the US operate under a set of very sensible regulations – called FFIEC Guidance – that on one hand tells them they
should get a grip on online security and move away from user names and passwords, but on the other hand let them develop their own defense strategy rather than force upon them a specific authentication method.
The result of the FFIEC guidance, which required US financial organizations to comply by end of 2006, was that FIs in the US built flexible defense mechanisms and deployed the security principal of defense-in-depth. Most banks today use Risk Based Authentication
(also known as Adaptive Authentication), which uses visible and
invisible elements to secure customer accounts.
It could be that in a Wall Street sense, US banks took too many risks and didn’t manage risk well, but when it comes to security, the risk management done today is on the right track. Some banks still validate a user’s identity only during login, but many
move to a transaction-level risk management which is the ultimate goal.
Using Risk-Based Authentication allowed financial institutions in the US to strike the desired balance between security, usability and costs.
But there was a second part to my answer. As a general statement, other, non financial verticals in the US did not change the way they manage the risk of unauthorized access into their users’ accounts. Lacking a regulatory drive and not feeling the same
level of financial losses, American online services in the healthcare, government and retail sectors are at a disadvantage compared to similar services around the world.
This should change soon as many fraudsters
turn their attention to the non-financial sectors. Already there are fraudsters fully aware of the value of the data they siphon off non-financial targets. This trend will only grow in the coming years and require all online services to adopt better protection,
defense in depth and adaptive risk management controls.
What shouldn’t happen is moving from the current state of affairs to the opposite direction: reacting in panic and using the sledgehammer approach when the threat landscape changes. There will always be risks, and the challenge is managing them in a sensible
way. Not stopping a guy because they have an apple in their laptop bag…