Out-of-Band Authentication: A Fresh LookIt's Time to Secure the Asset, Not Just the Transaction
The Target data breach, and the fallout that ensued, made it very clear that financial institutions have a vested interest in protecting customers' personal and financial information - a vested interest that extends beyond protecting the data within the networks of the banks themselves. There lies the challenge.
It's not sufficient to merely ensure that our own networks are secure. Consider how much personal and financial information about our customers is housed on the Internet.
The answers to out-of-wallet questions aren't secret if they are posted on Facebook.
Ask yourself: Just how many online retailers have credit card information about your customers? And consider how much personal information consumers share online.
The answers to out-of-wallet questions such as, "What is the name of the grade school you attended?" aren't secret if they are posted on Facebook.
Data breaches are by no means limited to the Internet. As the Target breach demonstrated, customers' financial data can be hacked when shopping in brick-and-mortar stores.
Financial Institutions already apply out-of-band security in many instances. For example, customers are required to activate new credit cards. The activation generally involves a phone call asking several out-of-wallet questions known only to the legitimate cardholder.
The challenge is: How do we help protect payment cards when they are used at any number of online and brick-and-mortar retailers?
Points of Vulnerability
While there are industry security standards, such as the Payment Card Industry Data Security Standard, we can't ensure the security of every online retailer that could potentially house credit card data of our banking customers. Bearing in mind that an HVAC vendor was an entry point for the Target breach, vulnerabilities extend far beyond the retailer's network.
At an April 16 presentation in Washington, Comptroller of the Currency Thomas Curry stressed the importance of ensuring due diligence, and that ongoing risk assessment of all third-parties must be a part of every banking institution's vendor management program.
Single Point of Failure
Relying on a single band, such as resetting a forgotten password online, to help ensure data privacy and thwart hackers also leaves companies with a single point of failure.
I liken it to a company having their primary and back-up data centers located in the same city. Then a single natural disaster, such as a huge winter storm or an earthquake, can impact both locations. That's why part of the decision-making process in picking a back-up data center is its location. It's not at all uncommon for data centers to be in different states, or even different parts of the country all together. This makes a single event far less likely to impact both facilities.
We need to bring that same mindset to authentication.
Impact of Social Networking Sites
Most online retailers, particularly those that collect and often store credit and debit card information, have a certain level of security awareness. Contrast that with social networking sites, whose main focus is not security. Facebook, Twitter and Instagram are very popular, and they help people stay connected. However, they are not what I would call bastions of IT security.
Additionally, numerous online retailers will let customers log in with their Facebook, Twitter, Instagram and Gmail accounts. This means that the fraudster doesn't have to try to hack accounts at the online retailers. They just have to get past the security of a social networking site.
Also, customers should be discouraged from using the same username-password combination for online banking, or making online purchases, as they do for their social networking sites.
Secure the Asset
It's not the security of each and every online retailer we're trying to protect, but the security of our banking customers.
Consider the security advantage of requiring an out-of-band approval to register a credit card with any online retailer. When attempting to use a credit card for the first time, an alert could be sent to the registered cardholder's e-mail address or cell phone number. With established online sites, attempting to have a product shipped to a new, not previously approved address could also trigger an out-of-band approval requirement.
Or consider secondary, out-of-band approval tied to the card and not to any particular online site. The security is tied to the customer's credit card, independent of the online retailer. This would mimic the type of alerting used when a credit card purchase on the East Coast is attempted by a customer that lives on the West Coast.
Effective Use of Out-of-Band
Alerts to a mobile phone number are both more real-time and more secure than alerts to an e-mail address. This is particularly true with free Internet e-mail accounts. With a username and password, a hacker can access an online e-mail account from anywhere in the world. It's somewhat more difficult to intercept messages sent to your customer's cell phone.
As the Target breach demonstrated, financial institutions can't ensure the security posture of every online retailer or brick-and-mortar store where our customers may shop. Therefore, a security measure that can be tied to the asset can be effective, no matter where it's used.
Philip Alexander has more than 25 years of IT security experience in both the private and public sections. He has published three books on IT security and data privacy, and is an operational risk manager for a major U.S. financial institution.