A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

December 12, 2022 • Issue 22:12:01

Fierce authentication for an omnichannel threatscape

By Dale S. Laszig

The fundamental promise of omnichannel commerce is to meet customers where they are—at any touchpoint—whether mobile app, internet, cellular network or physical store. The ability to transact across all channels has opened opportunities and threats, expanding retail and hospitality playing fields and creating a broader attack surface for fraudsters.

Opportunistic threat actors, as well as merchants and service providers, are present wherever consumers transact, making multifactor authentication (MFA) a critical need in today's omnichannel world, security experts have stated.

Developers imbue each software update and digital app with advanced protections designed to block barbarians at the gate, but strategies that exist in isolation are a meager defense against attackers known for shapeshifting and mutating as they migrate from one channel to another. This article continues The Green Sheet's examination of advances in multilayered security, including new approaches to authentication, as part of our ongoing series on secure, intelligent, agile and transparent commerce.

Fraud's escalating costs

The 2022 LexisNexis True Cost of Fraud Study: Financial Services and Lending Report, published recently by LexisNexis Risk Solutions, found fraud costs rose by 16.2 percent in the United States and 19.6 percent in Canada year over year. Findings show U.S. financial service providers pay an average of $4.23 and Canadian providers $3.78 for each dollar lost to fraud.

Chris Schnieper, senior director of fraud and identity strategy at LexisNexis Risk Solutions, emphasized the need for multilayered security in today's complex commerce environment.

"To minimize fraud, organizations can no longer rely on manual processes or point solutions to reduce fraud, manual reviews and costs," he said in a statement. "Firms using a multi-layered solutions approach that integrates identity verification and authentication within digital consumer experience can lower their cost and volume of successful fraud. This approach improves identity verification and fraud detection effectiveness and lowers friction for trusted consumers."

Evolving threatscape

High on the list of emerging attack vectors LexisNexis Risk Solutions cited were buy now, pay later scams, mobile channel attacks and synthetic identity fraud. Survey respondents reported that advanced automated attacks that bypass digital identity verification have made it difficult to distinguish bots from legitimate customers. Researchers found subpar identity verification is a vulnerability that contributes to fraud at all points of the customer journey.

"Layering in supportive capabilities such as social media intelligence and AI/ML further strengthens fraud prevention," researchers wrote. "Study findings show that firms [that] follow this approach are less likely to be challenged with identity verification, botnet attacks and optimizing fraud detection/risk levels with the customer experience. They also experience fewer successful fraud attacks per month and realize a lower cost of fraud."

LexisNexis Risk Solutions researchers recommended the following actions to harden security:

  • Identity proof customers: Identity proofing involves both verification and authentication. Verification uses self-provided data to confirm if a single identity is real. Authentication confirms a person is legitimate (who they say they are).
  • Enhance technology: Replace manual procedures with advanced, automated technologies to reduce challenge rates, manual reviews and related costs. Deploy technologies that can recognize customers, pinpoint fraud and build a knowledge base to streamline on-boarding, can help detect insider threats and prevent account takeovers.
  • Assess devices: Assess more than physical attributes to authenticate an identity. Businesses need to holistically assess device risk, transaction risk and online/mobile behaviors, using data attributes like users' logins from multiple devices, locations and channels to identify risks.
  • Leverage data: Enable integrated forensics, case management and business intelligence to drive profitability. Data-driven insights will help businesses create a robust fraud and security technology platform with strong fraud management capabilities that can help them adapt to the changing digital environment.
  • Add security layers: Replace single-point protection with a multilayered security solution, customized to each phase of the customer journey and transaction channels, that protects transactions across locations, devices, geographies, user behavior and transaction patterns.

Letting customers in and keeping fraudsters out requires multilayered, strong authentication, researchers concluded, a defense ideally powered by a single authentication decision platform based on real-time event data, third-party signals and global, cross-channel intelligence.

Balancing security, customer experience

As security analysts have noted, balancing strong security with consumer preferences has long been a struggle for risk managers and customer experience officers. In a world of instant credit decisioning and optimized customer convenience, how can providers distinguish between legitimate users and fraudsters or offer easy log-ins without compromising customer security?

Forter Solutions Consultants Maddie Vagadori and Alysssa Huitema explored this issue in a Sept. 6, 2022, post titled, "The Impact of MFA on Customer Experience," proposing the world has outgrown traditional usernames and passwords, which they noted are insufficient protections for the vast majority of users who apply the same credentials across multiple sites.

"Multi-factor authentication (MFA) is the industry-standard for securing accounts and supplementing traditional username and password authentication, adding a second layer of defense," Vagadori and Huitema wrote. They cited three main buckets of factors:

  • Something you know (for example, security questions)
  • Something you have (for example, a text message sent to your device)
  • Something you are (for example, biometric authenticators).

"MFA drastically reduces the likelihood of account takeover, safeguards sensitive data and makes consumers feel like their online information is more secure," they wrote. "But MFA is not infallible, and not all factors are created equal, as there are varying degrees of man-in-the-middle resistance, susceptibility to social engineering, etc. Moreover, attackers are reaching new levels of sophistication that transcend what passwords and MFA can effectively handle."

MFA and privacy law

Vagadori and Huitema further noted that MFA, in addition to becoming an accepted ecommerce practice, has been codified into law in various regions and countries. For example, PSD2, introduced by the European Union in 2015 and later revised into PSD2, is designed to protect consumers throughout the EU and European Economic Area, they stated. "The most important component of PSD2 is the requirement of Strong Customer Authentication (SCA), which means that a consumer must be authenticated using additional methods or parameters," they wrote. "One of these methods is called 3-D Secure (3DS), which was introduced as a secure authentication method for online transactions."

3DS provides an extra layer of security but adds a step to the customer journey, which could lead to shopping cart abandonment and false declines, the authors noted. However, 3DS shifts liability from merchants, raises shopper confidence in online security and fosters PSD2 compliance. While the authors have seen enhancements to 3DS, they stopped short of calling the technology a silver bullet. When implemented intelligently, they wrote, 3DS positives outweigh negatives and could even lower fraud losses by as much as 80 percent.

Beyond passwords

The FIDO (Fast IDentity Online) Alliance is focused on reducing reliance on passwords, providing a superior customer authentication experience and driving greater online service consumption, revenue and profit. Since its inception a decade ago, FIDO has driven global adoption of its technology standard and open, scalable, interoperable framework. Its diverse global ecosystem promotes heightened security, privacy and simplified user interfaces for authenticating users of online services, stated Andrew Shikiar, executive director at FIDO.

At Authenticate 2022, an annual conference held in October 2022 in Seattle, Shikiar summarized FIDO's journey: First, we built technology, using case driven specifications and technical outputs that are submitted to formal standardization process by formal standards bodies. Second, we built a thriving B2B ecosystem of FIDO products and vendors, which certifies products that conform to FIDO specifications and interoperability requirements. And last but not least, we focused on facilitating adoption, which is more and more a focus for FIDO.

Reflecting on FIDO's achievements in 2022, which included launching Passkey, a multichannel authentication solution, a FIDO professional credentialing program and formalized design system to help FIDO members accelerate deployments, Shikiar said, "I think we have an opportunity with authentication to be a bridge of the digital divide and not another wedge. That's something we should all think about as we move forward these couple of days."

Beyond legacy MFA

Roger Grimes, data-driven defense evangelist at KnowBe4 Inc., discussed the need to continuously evolve and update security strategies at Authenticate 2022, in a talk on how to make your MFA solution more resilient. During the presentation, Grimes shared ways to make hackable MFA solutions more robust and harder to crack, while explaining why FIDO2 is one of the most secure MFA solutions in the market.

"The biggest reason we're all going from passwords to MFA is to stop password theft," Grimes said, advising the audience to avoid using MFA solutions that are as easy to steal as passwords. Even the most secure MFA solutions can be hacked in a handful of ways, he added, even those that vendors claim are not hackable. You don't even have to be anybody or know anything to commit this type of fraud, he said, because MFA hacking is built into malware or phishing kits.

Hackers use bot attacks, account recovery scams, network session hijacking and other methods to access user accounts, Grimes stated, adding he first covered network session hijacking in 1989 for Info World Magazine. "The victim receives a phishing email pretending to be from a trusted brand to trick them into using their password or MFA," he said, noting any user who hovered over that link would see an entirely different URL.

Web 3.0

Also at Authenticate 2022, Robert MacDonald, vice president, product marketing at 1Kosmos, spoke about how Web 3.0 will reshape authentication. He explored how perceptions about financial services and digital assets may change in a decentralized world. Pointing out that Web 3.0 has established identity standards, such as Decentralized Identifiers and Verifiable Credentials, MacDonald proposed individuals could access multiple credentials in a digital wallet to authenticate with desired entities.

"These technologies deliver an immutable, secure and flexible ledger to support identity protection," MacDonald said. "With an identity stored in a digital wallet rather than on a central server or other authority, it's possible to lock down data while preventing the traceability of sensitive data."

The Web 3.0 framework would simplify identity management, MacDonald suggested, and also give users greater control over their identity and how they choose to authenticate with various service providers such as DeFi services, traditional financial institutions and employers. Users could also leverage Web 3.0's blockchain infrastructure to control their identity data, he added, by storing their identities in digital wallets instead of a central server or authority.

MacDonald further noted that a decentralized identity and Web3.0 environment would facilitate private identity management blockchains that support advanced authentication, including biometrics; identity proofing used for credential verification; MFA without clumsy one-time codes and overall frictionless customer experience that distributed ledgers and blockchain deliver.

Passwordless journey

Dhaval Shah, CEO at Rainbow Secure, noted that managed service providers have made security more accessible and affordable for businesses, including small and midsize enterprises. However, he said he'd like to see providers tailor service offerings for clients even more.

Rainbow Secure's password and passwordless solutions help clients step up security at their own pace, Shah stated, adding that the company's password solution, for example, enables users to customize password characters, numbers and backgrounds, using color and font styles that are not visible beyond their log-in screens. "We all need to meet customers where they are, and that includes wherever they happen to be in their security product roadmaps and passwordless journeys," Shah said. end of article

Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter@DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing