By Dale S. Laszig
Multilayered security strategies are top of mind for cybersecurity specialists, and approaches are as varied as individual technologies. The Green Sheet asked six information security leaders for their views on security best practices; their responses reflect a common commitment and diversity of methodologies. This article explores what some experts call a holistic security strategy: ways in which layered technologies secure and protect physical and digital environments.
Andrew Deignan is global vice president of marketing at MagTek, a company that has focused on security for more than 25 years. "We have advocated on behalf of our customers, and ultimately cardholders, that a system reliant on static authorization data will always be a target for threat actors," he said. "As an industry, we have placed the onus on merchants to protect what the issuers expose in plain view on the front and back of the cards they issue."
Deignan acknowledged that progress has been made but suggested the industry focuses too much on compliance and certifications and not enough on practical security. This approach tends to stifle innovation, he noted, while burdening POS devices with multi-level certifications and leaving payments systems vulnerable to theft and fraud.
Until we uncover the root cause of payment data theft and fraud, he added, piling on compliance and certifications will do nothing more than lock the front door while keeping the back door wide open.
Deignan pointed out that every payment system relies on an authorization network that issues approvals and declines. Authorizations are binary processes; they say yes, I give my consent to move value, or no, I do not, and if we were to rely solely on authorizations, all kinds of fraud would occur, he stated.
Authentication, on the other hand, is the act of measuring, proving or asserting genuineness, Deignan said. It answers the questions: is it real, is it true, is it valid or is it genuine? If you authenticate cardholders, merchants and issuers, all relying parties could trust the whole transaction, which would remove the incentive for threat actors to steal, he said.
Deignan additionally noted that every transaction has multiple elements to authenticate, such as payor, payee and physical devices, and the authentication process must establish exactly who initiated the payment and is a party to it, as well as exact information about the recipient of the funds. This can be accomplished by authenticating appropriate credentials, which he summarized as "something the user has, knows or is." Credentials come in myriad form factors, which could be a physical token, biometric data, knowledge, a shared secret or combination of these things. "We use presented credentials to authenticate users – meaning if the credentials are valid, we are satisfied that both parties are who they say they are," Deignan said.
Jeremiah Mason, senior vice president, head of product, authID.ai, has seen large and small businesses step up security measures and increase their use of multi-factor authentication, which requires individuals to use two different credentials when logging in to a website, mobile app or connected resource. "Since the onset of the pandemic, and spurred by a recent White House mandate, enterprises and federal agencies are abandoning legacy-based cybersecurity tools and protocols in favor of more advanced, proactive cyber-defense alternatives," he said.
Mason maintained that organizations could harden security by replacing inherent trust with a zero trust access (ZTA) approach. ZTA assumes all traffic is hostile and grants access on a need-to-know basis, which creates an immutable audit trail of authorized user access and helps reduce risks and threats across an enterprise, he stated.
"Additionally, in the midst of heightened geopolitical conflict and nation-state sponsored cyberattacks, we are seeing companies either thinking about implementing or implementing MFA on a broader basis by removing passwords from MFA workflows to reduce the risk of a compromise," Mason said. "The movement towards passwordless MFA, which removes a shared secret from the workflow, also supports ZTA."
From Mason's perspective, authenticating individual users as they log in to websites and apps is not enough; their devices must also be authenticated. Fortunately, decision-makers realize this and are propelling the market forward to more secure cyber standards and practices, he noted.
Deignan agreed, stating the device that is used to conduct a transaction must be authenticated so that a relying party can recognize if a clone or altered device has been inserted into the mix to harvest payment data or redirect it to unauthorized parties. "Terminals these days come in all shapes and sizes," he said. "Even a tablet or a mobile phone can be a payment device. This variety makes authentication even more difficult but necessary."
Payment transactions require a combination of security measures, Deignan added, stating it's not enough to just approve a payment, nor is it sufficient to just encrypt payment data. "Encryption scrambles valid data and counterfeit or fraudulent data equally well," he said. "And tokens are great, but not a silver bullet, because if you can't authenticate a transaction, even if it's 'approved,' you can't trust it."
Authenticating from personal devices has become the norm for consumers around the world, but what happens when the user replaces a phone or laptop that serves as a login credential? A March 2022 white paper by the FIDO Alliance, How FIDO Addresses a Full Range of Use Cases, introduced a multi-device authentication capability that facilitates secure logins across multiple channels. With this solution, users with new devices would no longer have to buy a security key or fall back to a less secure, non-FIDO authentication method, researchers proposed.
"We believe that the syncing of FIDO credentials, together with the Bluetooth alternative, allows FIDO authentication to not only be a suitable alternative for existing two-factor deployments, but for the first time, be a viable solution for use cases where deployments of two-factor authentication methods have proven difficult, and where consequently consumers are stuck with passwords," FIDO researchers wrote. "This approach reflects an evolutionary step in the FIDO ecosystem, delivering phishing-resistant authentication at a scale that rivals that of password-based authentication deployments."
The FIDO Alliance was established in 2012 to drive simpler, stronger authentication methods through an open, scalable, interoperable framework that reduces reliance on passwords. The organization has made significant progress over the past decade toward its goal of creating stronger, private, easier ways to securely access online services, FIDO representatives stated.
The passwordless journey can be challenging for global brands tasked with implementing advanced technologies across multiple regions and regulatory landscapes while striving to deliver a consistent customer experience. This topic was explored at FIDO's March 2022 Authenticate Summit, a virtual event featuring leading ecommerce and security experts.
Manish Gupta, director of global security at Starbucks, described authentication as a platform that offers unlimited potential through its deep connection with end-users.
"You could combine authentication with other technologies to make it an enabler for ecommerce or for socioeconomic efforts, or as a protector when viewed from a cybersecurity lens, or a key component of digital transformation," Gupta said. "The possibilities seem endless when you think of what we can do. Let's continue to maintain the right balance of usability, communication, branding, and security; and let's extend our thinking to the full end-user experience and not just pigeonhole ourselves to authentication."
Agreeing that the FIDO Alliance has made significant progress in driving standardization, interoperability and security best practices, Tola Dalton, director of software development at eBay, encouraged FIDO members to celebrate incremental successes.
"There is a tendency to fixate on the end state of being truly passwordless where the user always authenticates via biometric and [other FIDO methods]," Dalton said. "One of the realizations we've had is there are really significant gains to be made along the way before we get to that end state."
An organization's security posture is measured by its ability to predict, prevent and respond to ever-changing cyber threats and, as security professionals constantly remind us, these abilities require human and machine intelligence in equal measure.
Pankit Desai, co-founder and CEO at Sequretek, proposed organizations can improve their security posture by combining predictive analytics with human expertise. "Instead of solving problems as they arise by building products that address known threats, organizations could combine machine and human intelligence to proactively assess the security landscape," he said.
Brent Johnson, chief information security officer at Bluefin, advised IT teams to identify the greatest risks to their businesses and build security budgets around mitigating and protecting against them. "My advice would be to follow tried and true methods to achieving security goals," he said. "Follow and stay up to date on NIST guidelines and security standards within a specific industry. Monitor security bulletins such as US-CERT."
Johnson noted that security has multiple technology layers, which he described as "physical security, application security, the software development lifecycle, logical security and access control/least privilege, system build configurations, patching processes, vulnerability management, and monitoring controls." He added, however, that security's purpose is unwavering and absolute. "While the technologies to achieve security continue to evolve, from my perspective within InfoSec, the basic principles remain unchanged: to ensure the confidentiality, integrity and availability of data."
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email firstname.lastname@example.org, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next