The convenience of doing business on the web has embedded itself into consumers everyday routines to the point where the ability to quickly complete a multitude of tasks online has come to be expected.
Twenty-four hour access to online bill payment, mortgage application or stock trading sites from the comfort of home is raising consumer expectations for services available on the internet. Savvy e-businesses have been quick to accommodate consumers' increasing demand for convenience. With ever-increasing bandwidth and accessibility options, one might assume we've only begun to experience the full power of the internet as a product and service delivery channel. Not necessarily.
With record numbers of consumers and businesses conducting more of their affairs online, criminal organizations have targeted the web for profit. Being under siege by attackers has exposed the underlying security weaknesses associated with moving sensitive financial business processes onto the web. E-businesses in general, and specifically those permitting self-service of high value transactions, have reached a dangerous intersection. Faced with sophisticated fraud schemes, online businesses must carefully balance the risk exposure associated with delivering additional services to online customers.
When security mechanisms designed to protect online transactions are measured against convenience, one quickly discovers an inverse relationship. For transactions of little value like accessing a news site for general research or registering for an unsecured email account, very little is at stake. In these situations, users seldom need to authenticate or identify themselves to any great degree. It's very convenient, but not very secure.
Conversely, when an individual is required to appear in person to sign a mortgage application and bring along several forms of identification, it is very secure – but not very convenient. E-businesses must balance the security, the convenience, the cost and the revenue of providing online services. These organizations must continuously assess their shifting risk exposure and enhance their arsenal of security defenses to respond to new threats and protect customers. Also, since a single organization cannot own or control every aspect of the online transaction infrastructure, they must also participate in and influence industry cooperation to thwart fraudulent activity. All of these efforts come at a significant cost.
However, once an e-business has developed a security infrastructure capable of reducing risk to acceptable levels and gained the trust of its customers, it's in position to offer more and higher value services which translate to increased revenues. Recent fraud schemes perpetrated on the internet suggest that e-business may have reached a service delivery tipping point. Namely, a point at which additional online services can not be offered without an associated increase in the security procedures (and inconvenience) a user must accept to take advantage of those services.
The question becomes one of how much security is appropriate and how much inconvenience is a user willing to accept to continue taking advantage of online facilities. The popular thinking has been that the average internet user will not accept more than a few seconds of delay before they take their online patronage elsewhere. It may be time to let the impatient customer go elsewhere – or perhaps time to require that users participate in protecting their assets.
What exactly is the point at which a business would rather allow a consumer to go elsewhere instead of accepting a potentially fraudulent transaction? The actual threshold may be lower than one would initially think given the associated costs of online fraud. Unlike consumers who are most often reimbursed for fraud incidents by their banks or credit card companies, online businesses are responsible not only for lost merchandise, but also credit card chargeback fees that accompany fraudulent transactions. These hard cost considerations must also be combined with potential hits against a company's reputation when large-scale fraud or identity theft is reported in the media.
Fortunately, the increased media focus around the risks of online business has helped to educate consumers about the importance of safeguarding their identities and online transactions. As consumers become increasingly aware of online risks, they are more likely to take an active interest in protecting their internet transactions. Consumers willing to take a participant role in the security process could prove helpful to companies that are faced with the alternative of scaling back online activity due to increased fraud expenses.
The following four examples illustrate the need for consumers to take a more active role in protecting their online activities by accepting the need for an additional layer of security and inconvenience:
Risk: Online criminals break into accounts.
Reason: Shared secret (e.g. password) is the only method of authentication.
Better practice: Use of multi-factor authentication, which requires a shared secret plus something else such as an authentication device (e.g. token or phone) or a biometric measurement (e.g. fingerprint or voiceprint).
Risk: Creation of illegitimate accounts by online criminals.
Reason: Identity verification based on data entry form only (e.g. knowledge based).
Better practice: Use of multi-factor and out-of-band identity verification (e.g. delivering account credentials outside of the internet session, such as via a real-time, automated phone call).
Risk: "Phishing" (e.g. capturing secrets by tricking users to log onto a fraudulent site).
Reason: Poor tools offered for users to recognize the difference between legitimate and fraudulent websites.
Better practice: Industry cooperation to encourage and support better browsers with advanced website authentication techniques; Out-of-band site signatures.
Risk: Misuse of legitimate accounts.
Reason: Weak, or nonexistent transaction verification.
Better practice: Anomaly detection; Use of real-time transaction notification or verification (especially for high value transactions).
Enlisting the participation of consumers to verify high-risk or high-dollar online transactions can be as simple as requesting transaction authorization via telephone before it is processed, or as sophisticated as using a biometric measurement for confirmation.
Recently, several of the nation's largest online brokerage firms, disclosed that hackers breached customer accounts and made millions of dollars in unauthorized trades. These attacks were perpetrated because criminals were able to penetrate existing defenses, create fraudulent accounts, and manipulate legitimate accounts. The old axiom, a chain is only as strong as its weakest link certainly rang true. Despite having sophisticated security processes in place, these firms suffered significant losses.
A simple and effective out-of-band mechanism, that complements existing security systems, could have thwarted these attacks. For example, requiring that any new account can not be used until the user's identity is verified via a token mailed to the account owner or a real-time phone call to the account owner's home phone to capture a voice recording. Simply knowing some data about a person would no longer be good enough to fake an identity.
Furthermore, out-of-band security measures can prevent fraud at various stages of the transaction life-cycle. In the stock-trading scams referenced above, a real-time notification system that alerted actual account holders that trades were underway would have short circuited the attacks. Receiving an automated phone call in the middle of the night to confirm the purchase of 25,000 shares of an over the counter security would be moderately inconvenient, perhaps, but empowering the account holder to participate in saving millions. From my experience, this creates loyal customers and positive press.
The time has come for e-businesses to concede that fraudsters are smart, organized and not going away. It is also time to concede that the growth of e-services will be fueled by web users willing to accept incremental increases in security mechanisms that are matched with the value of the transactions they are performing online.
- Andrew R. Rolfe is vice president, research and development for Authentify