Gartner's Litan on Fixing Authentication Why KBA Is Unreliable and New Approach Needed
Gartner's Litan on Fixing Authentication
Avivah Litan

Banking institutions and other businesses must continually collect information about their online customers to ensure stronger authentication, says Avivah Litan, a fraud expert and analyst for the consultancy Gartner.

"You have to assume the criminals can get through one layer [of authentication]; they can get through two, they can even get through three," she says during this interview with Information Security Media Group [transcript below]. "But if you have multiple layers, up to five, and you're continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape."

Continuous authentication relies on a number of factors, such as how often the user typically accesses an account from a mobile device or PC, how quickly he types in his username and password, and the geographic location from which he most often access the account, Litan says. By continuously monitoring these behaviors, organizations can substantially improve their ability to detect when an unauthorized user is trying to access, for example, a bank account, as well as determine whether an account has already been compromised, she adds.

"You're continuously trying to verify if all this looks like the person you think it should be," Litan says.

During this first part of a two-part interview, Litan discusses:

  • The failures of knowledge-based authentication;
  • Why socially engineered schemes are moving beyond phishing; and
  • Technologies and educational campaigns all institutions need to implement to reduce fraud losses.

In part two of this interview, Litan discusses steps organizations are taking to fight call-center fraud.

Litan recently spoke about stronger authentication techniques during a presentation at ISMG's Fraud Summit. A video of her presentation is available on ISMG's Fraud Summit page.

Litan is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.

Why KBA Fails

TRACY KITTEN: Avivah based on recent research that you've conducted, you've identified significant weaknesses in standard authentication practices used for online account access. So-called knowledge-based authentication is insufficient, you say. Can you explain why KBA fails?

AVIVAH LITAN: First, let me just say that this issue of KBA failures and problems has been coming up for a few years. KBA is knowledge-based authentication based on external data, and it's a very convenient method for banks and other companies to use to prove an identity when they are conducting a high-risk transaction. So for example, if you are cashing out an annuity as a consumer and you call the call center, the call center is going to start asking you to answer these secret questions. So it's very convenient. But for a few years now, we've been hearing complaints from our customers that the failure rate on KBI is on average 10 percent to 15 percent and sometimes it can go as high as 30 percent.

For example, some of our healthcare insurance clients insure populations without a lot of credit history - new immigrants or students. We see the same thing in universities. We've been hearing about these high failure rates for a few years ... and when we looked into it, what we found out is most of the failures are good people that can't answer the questions. So either there is not enough data on them because they are a new immigrant, for example, without a lot of data, or it could be that there is a typo in the credit record, or it just could be that the people that do have questions don't know what the answers are. It has happened to all of us because, for example, if you're asked where your mortgage is held, your mortgage may have been sold to three companies that you don't even know about and you're still paying the old company when you write the check but there is really a third company behind the scenes.

At the same time, we've been hearing the bad people succeed. So for a few years now, I've been hearing from some of my bank colleagues and fraud managers that when they do ask secret questions to verify an identity on a high-risk wire transaction, for example, that when they call the user making the wire request, the phone is forwarded to someone else who is the fraudster because they've taken the time to forward the call of the victim. Then when the fraud analyst starts asking these questions, the call is forwarded to the fraudster and the fraudster has all the answers to the questions. In fact, on some of the call recordings that fraud managers have listened to, they can actually hear the bad guy clicking through the screens trying to get to the right answer. And you may have seen the [report] that Brian Krebs did where he actually uncovered a botnet that was inside three major companies that provide information on identities in KBA. So it used to be manual compromises where the bad guys would fish and pose as data aggregators and get into the KBA databases, but now it is systematic compromise. So there is a whole range of reasons why KBA isn't working. So does that mean we're all going to run away from KBA, probably not tomorrow, but it's got the banks thinking very hard about alternatives.

Authentication Practices

KITTEN: Avivah, what about authentication generally? Do banking institutions, and other industries for that matter, rely too heavily on standard authentication practices which require some of this user input?

LITAN: When banks start out looking for a method to prevent fraud, most of them start thinking about authentication. Why is that? Because authentication is easy to understand and it's relatively easy to implement if you are using software-based implementation. So for example, it's common for banks to use passwords, device identification, challenge questions that are based on questions that the user registers at the time of setting up their account, and then sometimes even out-of-band authentication, where the bank will send an SMS message or call the user and deliver a one-time password. All those methods are relatively easy to implement, except for perhaps out-of-band because then you need a good phone number and people change phone numbers. But because they are so easy to implement, they are low cost - that is what most banks think about when they think about stopping account takeover.

The more sophisticated banks that have been attacked for a while understand that is not sufficient, and that they need to do a lot more like that - a lot more than just authentication. But typically the smaller banks that don't have a lot of security resources to spend ... will focus on authentication.

Layered Approach

KITTEN: So then what solutions do you recommend Avivah? Is it this layered approach?

LITAN: Yeah we don't recommend that you rely solely on authentication. We've seen time and time again how authentication can be beaten. So anything going through a browser is subject to man-in-the-browser attacks and Trojans. ... So you can't only rely on authentication. You can't even rely on out-of-band authentication. ... You can rely on a layered approach and that is starting with protecting the endpoint, trying to secure the browser, going all the way up to looking at the navigation, building profiles of users and accounts and looking for anomalies, doing that across channels. What did the user do at the call center versus the online channel, versus the point of sale channel? And finally - big data analytics. At the end of the day, if you can't catch the criminals in line to the transaction or on the way up through these layers hopefully by putting all your data together and smart people doing data analytics on information and your systems, you can find those needles in the haystack.

For authentication, we recommend constant continuous authentication, and we're calling it "behavioral authentication." So trying to put all these factors together about your user: How do they navigate your systems? How do they hold their mobile phone? How do they type? Where are their general locations? What devices do they usually come in from? What kind of transactions are they usually transacting? What time of day do they usually transact? So constantly monitoring your user and building up a profile of all the different types of activities, ranging from their physical activities - where they go and how they type - to their account activities: What type of transactions do they do? And you're continuously trying to verify if all this looks like the person you think it should be. You have to assume the criminals can get through one layer, they can get through two, they can even get through three. But if you have multiple layers up to five and you're continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape.

New Scams

KITTEN: Avivah, you've also recently noted upticks in socially engineered schemes that exploit in-person communications. So it's not just these phishing attacks that criminal organizations are waging and it's not just phishing attacks that banking institutions and others should be worried about. Why are these more personal and face-to-face scams garnering renewed interest among fraudsters?

LITAN: Well as the banks tighten up their electronic controls, it's harder for the fraudsters to penetrate them. So they are turning to old-fashioned methods of seeing victims in person or showing up at branches and trying to socially engineer the branch employees.

Let me give you a couple of examples. I've heard about this first example from UK banks. I'm not sure it has happened yet in the U.S., although it usually moves from country to country, where some of the bad guys would show up at victim's houses in person and they'd be dressed either as police officers or as bank personnel. They would typically pick elderly people, knock on the door and say, "You're account has been taken over," or "We regret to inform you that someone broke into your account, stole all your money but don't worry we're here to help you and here are some forms we would like you to sign, and after you sign these we'll move all the money into this new account and we'll definitely get back the stolen funds and make you whole and all you have to do is sign here." And, of course, these innocent people are signing documents and they don't realize that they are signing their financial life over to a fraudster.

We've also heard of cases where ... bad guys dressed as service technicians show up at a branch, for example, and say: "We're here to fix your safe and we understand that it is broken and so can you let us in and open it up, and we'll fix it for you?" That is an extreme case, but I've heard that too.

I've also heard of people showing up at branches and distracting the teller and rewiring the little point-of-sale device where you swipe your debit card to authenticate to send those transactions to a criminal server. There is a more common case now ... where criminals are actually logging in online to get check images. They're not moving money because they know that there are controls there, so they are getting the check image ... and creating forged checks and going into the branch and depositing those checks and taking out money based on those deposits. And the systems aren't really equipped to deal with that yet, so the teller will give the criminal their money after depositing the check and then they'll make off with it.

So we've seen different kinds of in-person attacks, we've also seen a lot of phone-based attacks. Many banks can tell you about how the criminals will call a targeted victim during a malware-based attack to say, "Oh there is something wrong with our system right now and your money request isn't going through, we need you to get the secondary authorization now and put it in this computer." So they are socially engineering these corporations to get the dual authentication process all put in at one computer that they've taken over so they can wire funds.

The list goes on and on, but the bottom line is, as the banks get better at tightening up online controls, the fraudsters have to go into the in-person or the telephone route to get their jobs done.

Call-Center Schemes

KITTEN: So talking about some of these over-the-phone scams ... We've seen increases in call center fraud. How are these types of schemes being waged in conjunction with cyber-attacks such as DDoS?

LITAN: Well we're definitely seeing a link between DDoS and fraud, and in many cases it does target call centers. So here are some of the linkages. Well one linkage is not really a call center linkage; it's a VRU [voice response unit], telephone banking leakage. And actually in this case it's just a DDoS attack against the VRU system. There is not a lot of fraud controls on telephony banking. The bad guys will just randomly dial into the VRU system and do brute force dictionary attacks trying to guess the passwords until they get in and transfer money. They doing this by just quickly rotating through and calling lots of calls per minute. So it's a DDoS attack against the phone system.

We're also seeing DDoS attacks that distract bank personnel and they may even shut down the wire system, or not shut it down but make it very hard to get to, so the bad guys take advantage of that. They will call the call center and pretend they are a corporation that has to get a wire transfer done really quickly and socially engineer their way through the identity proofing process. They may have all the data they need to prove that they are actually someone else, and then they'll do the account takeover and a wire transfer that way.

And we're also seeing a lot of cross-channel fraud. About 30 percent of the fraud involved is telephony channel and the online channel. The bad guys will call the call center and actually get some information out of them or change information on an account - for example an address or a phone number, and then go online and take money out. So when the confirmation goes to the address as in the records, it's now going to the new address that it was just changed to, which could be the criminal's post office box for all we know. Or the calls to verify accounts having money transferred out of them could go to another phone number that the criminal just had all the calls forwarded to by calling the call center. So there are different variations on these themes, but the bottom line is the bad guys will call the call center and get something out of the agents - maybe the answers to secret questions in some cases or changes to the account - and then go online and move the money out.

Phone Printing

KITTEN: And so then what recommendations or solutions do you offer there to address some of these call center scams?

LITAN: There is a new type of technology that has come out recently and I call it "phone printing." It's a lot like device fingerprinting for PCs where you look at the origination of the call and you can't assume the caller-ID showing up on the call center agent's screen is correct. The criminals go through proxy servers to disguise their true location. They do that also when they call the call center. They'll go through an anonymizer service so they disguise where they are really calling from. And if you have this phone printing technology you can actually see that they are disguising their location and you can get to the true location. There are also other technologies that are what they call "true caller-id." But what these have in common is that you are trying to see where is this call really coming from and what kind of phone is being used. The criminal pretends they are calling in from Kentucky, but you can tell by the acoustic quality and the spectrum on the call that this call is really 5,000 miles away and can't possibly be in Kentucky. It looks like it is Eastern Europe. By doing that, you get an indication that you know this is a high-risk phone call.

And there is also voice biometrics where you passively record the voices of the users calling and over time you build a blacklist of the fraudster's voices so that when they call again you can flag that as a fraudster. Because typically these fraudsters don't just strike once; they'll call back time and time again - up to five or six times a month. And it's a small group of them that attacks the call centers, so you can record the voices and mark a voice as fraudulent once you confirm fraud on that account that was called about and then use that blacklist for future phone calls.

So between voice biometrics, passive voice biometrics, and phone printing, our clients are having a lot of success in stopping call center fraud.

Role of Education

KITTEN: Are organizations adequately addressing some of these call center risks with education?

LITAN: Education is really important; employees sometimes are innocent. They make simple mistakes like trusting people that call in when they are really fraudsters. ... You can train people day and night and they can still fall for really big socially engineering techniques. And it's not because they are stupid. It's because they are trying to provide good service to the customer. So employee education is definitely important, but if it's all you're relying on it's simply not enough. And the same would be true for customer education.

Around the Network