The payments world is all abuzz about the potential of biometrics to solve many of the serious payment security issues we now face. Not only does biometric authentication – be it voice, iris or even Apple’s Touch ID finger print scanner - allow us the ability
to finally kill or reduce the role of the dreaded and much maligned password, it opens up the possibility of deploying multilayered authentication schemes built around the unique “something we are” dynamic.
Unfortunately, in light of significant recent cybercrime activities in
Brazil and in
Europe involving Man-in-the-Browser attacks one must ask, what good is the most advanced authentication technology when dealing with a fraud vector that simply leverages the authentication and targets the transaction instead?
For combating fraud, multifactor authentication is clearly part of the solution as it curtails the damage done by stolen credentials (such as login passwords or security questions). But in Brazil, we are witnessing the nearly boundless lengths that today’s
cybercrooks will go to, utilizing vectors which have the potential to compromise the very underpinnings of transaction security.
The events in Brazil feature the Man in The Browser (MiTB) attack vector, and while not particularly new, it is increasingly insidious as its success is actually predicated upon the ability of the victim to prove their identity through whatever authentication
layers or security schemes are employed by their bank or financial institution.
MiTB is a threat that infects a web browser by taking advantage of its security vulnerabilities to modify web pages, modify transaction content or insert additional transactions, all in a completely covert manner invisible to all involved parties (the consumer/end
user and the host institution). Because MitB acts as a “Man in the Middle” it is able to intercept all transaction information regardless of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are utilized. MitB
makes the sole reliance on ALL forms of authentication, even biometrics, completely irrelevant. Therefore, to protect consumers from becoming yet another cybercrime statistic, what is needed is not only user authentication, but true transaction verification.
While I have long been a vocal proponent of strong authentication, now more than ever, we all must look at how we fundamentally approach transaction security because authentication alone - even multifactor – is clearly not enough. Security vendors that will
thrive in this space will focus on securing the complete transaction from both the strong authentication and transaction verification perspectives.
In my view, the first step is to regain control via a “trusted channel” through increased utilization of Out of Band (OOB) communications – such as a trusted device like a mobile phone – that can be used to confirm transaction details and legitimacy. Combining
Voice Biometrics authentication with transaction verification on this OOB channel provides the capability to counter sophisticated fraud vectors such as MitB, MitM, Call Forward, SIM Swap & Device Theft.
Second, and more importantly, the entire industry must approach transaction security through the adoption of best practices. Some examples of these best practices can be found in the Federal Financial Institutions Examination Council’s (FFIEC)
Supplement to Authentication in an Internet Banking Environment, which details a number of framework recommendations regarding customer authentication, layered security and other controls for what it calls an “increasingly hostile online environment.”
While it is great to see organizations such as the FFIEC and others spurring-on the industry to push ahead on transaction security, we have a fragmented global banking industry that is not aligned on the issue and not presenting a unified front on transaction
security and verification. It is encouraging to see an increasing number of strong authentication deployments (with, multifactor authentication critical to protecting our customers) yet until we view these factors as only part of the total security equation,
we leave ourselves, and our customers, open to even more damaging and costly attacks.