Fraudsters are constantly evolving their techniques, and information technology professionals must constantly find ways to keep thwarting them, says Tim Brown, vice president of product at New York City-based Prove.
Brown spoke with StrategicCIO360 about the latest threats, emerging technologies to deal with them and why the death of passwords is imminent.
What kind of fraud are executives not paying enough attention to?
The five most aggressive forms of fraud are account takeovers and SIM swaps, identity theft, social engineering, synthetic identities and first-party fraud. Executives should be keenly aware of all five, and focused on how they can deploy solutions that can address each.
Given that most security ecosystems are focused on account authentication as it relates to multi-factor authentication with little consideration of the identity attached, I suspect that identity-related fraud—both true name and synthetic identities—garner the least attention, which is disappointing. Having a strongly bound identity to an authenticator provides the highest assurance of digital trust because it ties a real person to the authenticator.
I’m sure that some executives are deploying solutions like knowledge-based authentication and risk-based authentication to assist, but I’d argue that both are fallible. One should assume that your knowledge-based questions are public knowledge, and the questions that are not public are so obscure, asking them introduces too much friction because they are difficult or impossible to remember.
Risk-based platforms depend on huge volumes of data about an individual. As mobile OS platforms introduce stricter privacy controls, obtaining this data becomes increasingly difficult, thus driving down the effectiveness of RBA platforms. CIOs really need to be focused on platforms that bind identities to a trusted cryptographic truth or key. Tying identity to the possession of such a cryptographic key, ensuring the reputation of said key, and the ownership of the attributes attached to it provide a deterministic way to answer the identity question for true digital trust.
What cybersecurity measures do you think are a must to combat such threats?
Deploying authentication techniques that are strongly bound to an identity is key for ensuring secure, privacy-focused interactions in a digital ecosystem. There are maturing technologies such as the FIDO Alliance’s FIDO2/WebAuthN standard that remove the weakest points of authentication: passwords.
FIDO eliminates passwords while providing a privacy-enabled authentication technique that leverages on device biometric authentication and cryptographic keys to ensure that the correct device is being used to re-authenticate when the user returns. The challenge with FIDO is that its focus is on the use of the authenticator alone, but not on the issuance of the authenticator being bound to an identity. FIDO uses onboard biometrics, and one would assume that those biometrics tie out to an identity.
However, there isn’t a guarantee that the biometric is tied to the correct user, especially in a shared device situation, so additional identity verification techniques must be used to enforce this bind. Capturing an identity document from a mobile device introduces user friction, has poor success rates because of capture constraints, and as a white light capture device, can only capture roughly a third of the security features on the identity document making it easy to beat with quality forged documents.
To provide strong identity verification with low friction, CIOs should focus on techniques that tie to a cryptographic key such as a SIM card in a mobile phone—ensuring possession, reputation and ownership of that key. Prior to issuing a FIDO token, a strong approach would leverage techniques to ensure that a person is in possession of the device (mobile authentication, enhanced device authentication, SMS OTP), followed by establishing that the SIM card hasn’t been swapped, finally by ensuring that device and the phone number are owned by the user. These three factors combined together with advanced learning techniques can provide a superior platform for identity verification and allow for a FIDO2 key to be issued.
What technologies do you think will emerge in the near future as digital identity becomes a significant part of our lives?
I believe the death of passwords is finally upon us, and that is an amazing thing! FIDO2 is gaining broad acceptance. Apple, Google and Samsung have made a firm commitment for native support of the technique. I see digital IDs playing an increasingly outsized role in our lives.
In the U.S., many states are moving to offer mobile driver’s licenses to their citizens. I’d look for mDLs to play an outsized role in how we travel, conduct commerce and generally interact with state government agencies. Looking at countries like Estonia that have rolled out electronic ID programs, you can easily see the myriad of use cases such a portable identity document would support. One day soon we will find ourselves paying taxes, applying for government services and maybe even voting with a digital identity document.
I see the industry pushing aggressively to self-sovereign identity models that give users full agency over their identity data, how it’s shared and with whom it’s shared. There is a tremendous amount of focus on privacy and consent, aimed at protecting users from fraud and data abuse. Users being in full control of their identity data is the primary means to achieve this.
What can CIOs look for in the identity verification market in the next two to three years?
FIDO2, mobile driver’s license, self-sovereign verified credentials and decentralized identity. I’m especially bullish on self-sovereign identity because I believe it meets a lot of the privacy requirements being legislated across the globe. We will see the end of certain authentication techniques: the password, knowledge-based authentication and SMS OTP. These techniques will be replaced by FIDO2 and strong identity binding through passive techniques that are superior to KBA.
RBA systems will also slowly be rendered obsolete as privacy techniques make it more difficult to fill the data needs of these types of platforms. I also expect there to be a substantive amount of mergers and acquisitions in the document verification space, as the relevance of document authentication begins to wane.
How can CIOs ensure that their organization has “digital trust”?
Information Systems Audit and Control Association defines digital trust as “the confidence in the integrity of relations, interactions and transactions among providers and consumers within an associated digital ecosystem.” ISACA goes on to further break down this definition:
• Integrity refers to a code of moral value, not the traditional security definition.
• It is essential to consider the entire ecosystem, which often involves more than two parties.
• Security, privacy, risk, assurance, quality and governance contribute to and can uphold digital trust.
• Ethics, transparency and accountability play a significant role.
• It is encompassing of brand, product quality, data ethics and reliability.
As we conduct more of our lives in a world of ever-increasing connectivity, CIOs must consider all of these things holistically as they are intrinsically linked. While digital trust is rooted in integrity, it’s incumbent on organizations to consider the security risks of interactions between multiple parties across the broad spectrum of their networks and systems—often with very little information about the individuals involved in the transaction.
Sadly, fraudsters, hackers and bad operators lack integrity and are motivated to exploit systems for financial gain, with complete disregard for the impact on individuals and companies. Bring your own device and remote work only amplifies the risk surfaces for CIOs to consider in the confines of digital trust.
So what is a CIO to do to enable strong digital trust? Recognizing that passwords represent poor, fallible security, CIOs have turned to multi-factor authentication. But I’d suggest that MFA isn’t enough. Passwords can be guessed, SIM cards can be swapped, OTPs can be smished. MFA represents a high level of user friction that discourages users and reduces engagement and efficiency. For businesses conducting commerce online, this reduction of engagement has direct impacts on the bottom line.
With this in mind, most CIOs are coming to the realization that identity must play a key role in establishing digital trust. Successful identity solutions that drive high digital trust should not only validate a person’s identity, but also determine that the correct person is in possession of their MFA devices when interacting with systems or other users.
Consideration must be given to strong identity verification tied to the authentication factors in a way that strongly binds a known identity with an authentication session to drive trust, along with technology that can continuously ensure the correct person is interacting, and equally important, that the device remains trustworthy. This type of multi-pronged identity verification drives a high assurance of identity, greatly reducing risk and fraud, and increasing digital trust with interactions.
With a strong identity scheme, CIOs can minimize risk, improve security, all while reducing user friction while drastically reducing fraud rates. Adding identity to the equation can certainly raise concerns about privacy, as well as ethical and transparent use of data, so any identity verification must be considerate of only requiring users to provide and share data that they consent to. In many cases, interactions in such an approach can support secure interactions without exposing any identity characteristics, but still ensuring safe interactions in a trusted fashion.