New Locks, New Keys: Examine How You Authenticate Users

No doubt all the breaches of customer data this year have forced you to defend your security strategy. And no doubt you’re being pushed to improve security without increasing costs or scaring away users in the process. You might be hoping the pressure will subside as the breaches become distant memories, but both the federal and state governments aren’t likely to give you that break.

CIOs at retailers must analyze the current security measures they take for data in three areas: in transit online, at the point of sale and where it is stored. The analysis of each area should determine how data is secured, accessed and utilized, and what the risk is at each step, says John Pironti, principal security consultant at Unisys. At the same time, CIOs of financial services companies must work around the fear that outwardly visible—and constraining—security measures could send customers fleeing into the arms of a competitor.

When They’re Buying, Who’s Watching?

Of the three security areas, the point of sale is perhaps the least risky. While it’s possible for properly equipped crooks to compromise computerized point-of-sale systems, it’s simply easier for the bad guys to buy or steal information on the Internet than to physically invade a POS location or to shadow customers to get their credit card number, PINs or other data, says Matt Curtin, founder of the security consultancy Interhack.

The popularity of credit cards has also made it hard to justify any significant form of authentication at the point of sale. Credit card companies have long limited consumers’ liability to $50, relying on fees paid by merchants to cover the cost of fraud, which is involved in about 1 percent of all transactions, says Avivah Litan, vice president and research director for payments and fraud at Gartner. And credit card companies depend on sophisticated fraud-detection systems that can reveal patterns of fraudulent use after very few transactions, limiting the losses.

Some retailers would love to drop credit cards, because of their high fees. That’s why Piggly Wiggly Carolina, a South Carolina–based grocery chain, has debuted a payment system from Pay By Touch in which customers use a finger scan and an ID number to establish their identity at a sales terminal. No credit card information is needed at the sales terminal, because the user identity is matched at a service provider—Pay By Touch—and the charge is then deducted from a linked bank account, says Piggly Wiggly VP of Information Services Rich Farrell.

The use of a second authentication factor (the PIN) also helps secure the new Blink card, a wireless card from Chase Card Services that uses radio frequency to transmit cardholder information to a sales terminal. The technology limits the card’s wireless range to just two inches, so thieves can’t use portable readers to snatch account numbers over the air, says Tom O’Donnell, a senior VP at Chase.

The Vulnerable Database

Gartner’s Litan expects thieves to increasingly target the systems that store customer data as more and more financial and retail systems are linked together. Standalone host systems (often aging mainframes) weren’t originally built to defend such networked connections, so “more and more companies are centralizing security again,” returning to the single security architecture approach that worked well for mainframe systems, says Jeffrey Margolies, lead for Accenture’s security services and identity management practice.

CIOs should consider these two basic approaches to secure stored data, Pironti advises: Encrypt data that is not being used; and better manage access so a rogue insider doesn’t have the privileges necessary to steal data. Most CIOs also need to acquire a thorough understanding of the flow of customer data and its potential weak spots, such as the use of unencrypted backup tapes, Pironti says, rather than rely on technological fixes. “In the short run there’s a higher expense to process thinking, but in the long run it’s cheaper,” he says.

On the Web, No One Knows You’re a Crook

Analysts warn that electronic data theft is growing fast, even as other types of data theft stay level or decline. A Gartner survey, for example, shows phishing attacks grew 28 percent in 2005. In addition, increasing numbers of online thefts and hacking attempts are being perpetrated on behalf of organized crime, which has started hiring hackers, says Litan.

To combat phishing attacks, bank regulator Federal Deposit Insurance Corp. plans to issue guidelines for online banking this fall that require authentication beyond user IDs and passwords. The agency isn’t dictating what technologies companies must use, giving the financial and retail industries a chance to develop their own standards and technologies.

Two-factor authentication’s success in the physical world has made it the choice of technology to protect online transactions as well. “It minimizes the theft of identity online,” notes former national security adviser Richard Clarke, now chairman of security consultancy Good Harbor Consulting.

Several companies are experimenting with two-factor authentication approaches. For example, Bank of America is deploying a system from PassMark Security that requires the user to answer a personal question from a rotating set and to choose from a collection of pictures supplied by the bank, with only one picture matching the “validator” picture the customer selected when opening the account. And online bank ING Direct rotates personal questions to provide a second challenge when the user logs in. Some banks and online retailers are using technology from such companies as Actimize, Corillian, Cyota and The 41st Parameter that creates a profile of user access, noting the IP addresses from which users log in, the time zone and so forth. If a thief logs in from Argentina posing as a customer from Delaware, the profile won’t match and the bank can issue an additional challenge question to verify the identity. (That extra step allows access by legitimate users who are traveling.)

Still, any data—even biometric information such as fingerprints—that’s stored as an authentication mechanism is vulnerable: If a thief breaks into a bank’s systems, he gets the validating data along with everything else. Such systems can also be vulnerable to “man in the middle” attacks, where communication between the customer and the company is intercepted, Clarke notes.

That’s why some companies are trying token-based methods, such as scratch cards, where customers scratch off a protective covering on a card to reveal a one-time access code. In the United States, E-Trade Financial is implementing the high-tech version of this approach using RSA Security’s lipstick-sized SecurID device, which produces new, one-time codes every 60 seconds and displays them on a small LCD screen. Users enter the code showing on the screen when logging into their investment accounts. If the device is stolen, a phone call from the customer flags it as invalid, so a thief could not use it. And even if the consumer’s computer has been hacked and a keylogger installed to steal passwords, the code’s ever-changing nature means a thief would still be stymied, says Joshua S. Levine, E-Trade’s chief technology and operations officer.

But token-based authentication makes many companies nervous, analysts say, because of the implementation and support costs. They also say that consumers won’t tolerate having more than a very few such devices. Alternatives do exist, of course. Canadian cash-card provider SolidPay, for instance, uses cell phones for two-factor authentication. It has deployed StrikeForce Technologies’ software, which calls customers’ cell phones and prompts them to enter their PIN on the phone’s keypad when they try to, for example, transfer money to their cards. And to combat device proliferation, RSA plans to launch a form of federation service this fall that would let consumers use the same SecurID authenticator device for accounts at multiple companies.

Some analysts believe such systems are inevitable. The federal government’s requirement that passport holders, transportation workers and government employees all use smart card IDs will create a critical mass of adoption for a standard token, says Good Harbor’s Clarke. He ultimately envisions ID cards that everyone carries, just as most now carry a driver’s license and a credit or debit card. (The concept of a national ID card has long faced strong opposition, although efforts to standardize state ID cards may achieve the same result, but more palatably.)

The Slow Road to Security

Wary of the cost of token-based authentication and of annoying customers with extra steps such as answering validation questions, financial providers are implementing fraud-detection systems similar to what credit card companies have long used, Litan says. For online access, most are focusing on methods that don’t require user action (for example, checking a user’s current location against his profile of usual access locations).

A second low-impact approach—this one designed to limit the damage caused by phishing attacks—is the use of server-side certificates to verify that users have in fact reached the bank or retailer they intended to contact, suggests David Meunier, CSO of CUNA Mutual Group, which provides processing services to credit unions. This approach means that the browsers should have SSL and Validation turned on, enabling the browser to display the certification results, so users will know if they have arrived at their intended site and not a sinister look-alike. (Students at Stanford University recently released such software for the Mozilla Firefox browser.) Meunier acknowledges, however, that this technology would not stop phishing via e-mail (which has no similar widespread certificate standard in place as of yet).

Another browser-security option according to Chris Novak, senior security consultant at Cybertrust, is a browser plug-in that detects password or account entry fields and scrambles them with a key known to both the browser and the legitimate server. Considering the small number of browser types in wide use, it should be straightforward to distribute such a plug-in if the financial industry agreed on a standard for it, he says.

Given the fractured nature of the financial services and retail industries, analysts agree that it’s likely that improved security for customer data will come from efforts that combine numerous techniques such as those mentioned above. While government regulation could push reluctant companies to implement more-intrusive technologies such as two-factor authentication for at least some online transactions, public pressure is the more likely way slow-moving companies will be spurred on, especially if consumers view security as an asset rather than as a barrier to commerce.