Retail Breaches as Catalysts for ActionWhy Authentication Needs to Change
Retail breaches have put a spotlight on payments risks, a hot topic during this week's BAI Payments Connect conference in Las Vegas.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The breaches suffered late last year by Target Corp. and Neiman Marcus could have positive long-term implications if they, indeed, serve as important catalysts for change.
"We have to get away from authentication of the user and go toward verification of the transaction."
For example, the migration toward enhanced payments technology - chip and PIN - could get a boost from all the attention to payments system vulnerabilities that the breaches generated.
The retail breaches have gotten the attention of Congress, which is considering how to spur more cyberintelligence information sharing and whether more regulatory oversight of payments security is needed. And breaches have exposed security vulnerabilities associated with weak authentication that relies on usernames and passwords and highlighted why ongoing vendor management and risk assessments are so critical.
The revelation that Target's breach was likely caused by a vendor illustrates the need for more security education (see Target Vendor Acknowledges Breach).
What's more, the notion that this vendor may have been hacked because an employee's authentication credentials were easily compromised proves we have a long way to go.
These same authentication vulnerabilities are exposing users and employees across all sectors, including online banking.
Weak authentication is often a key enabler of cyber-attacks, paving the way for subsequent fraud losses. Yet we still struggle to make sufficient strides toward strengthening authentication in all sectors, including online banking.
Compromised online-banking accounts, which resulted in accounts being taken over by fraudsters, spurred federal regulators in June 2011 to issue an update to their online authentication guidance for Internet banking transactions (see FFIEC Authentication Guidance: Final Update Issued). In response, banks and credit unions have spent millions on enhanced fraud detection and prevention technology as well as ongoing educational campaigns.
Yet account takeover continues. And poor authentication, either at the bank or customer level, is often to blame.
During a panel discussion that I moderated at BAI Payment Connect about fraud liability in the wake of an account takeover, cybersecurity attorney Joseph Burton said it best: "We have to get away from authentication of the user and go toward verification of the transaction. It's the only way we are going to secure transactions," and ultimately stop account takeover fraud.
Rather than relying on a username and password to authenticate a user, banking institutions should be rely more on technology and processes to verify the authenticity of the transactions themselves, through device identification, geo-location and IP addresses, to name a few, Burton explains.
The risks posed by weak authentication practices also were highlighted at the recent RSA Conference 2014 in San Francisco. Now the FIDO Alliance is spearheading the launch of an international authentication protocol that would ultimately remove the need for usernames and passwords. FIDO is pushing for the adoption of its protocol across all industries in all sectors to ensure uniformity.
The problem, though, is that cybersecurity risks are not well understood in most sectors, including retail. Banks and credit unions, because of their work to thwart account takeovers, are ahead of the game. They appreciate the need for stronger authentication. But banking institutions still need to do more to encourage, and in some cases force, their customers to adopt stronger authentication practices.
Work is already under way to encourage more cyberintelligence sharing between bankers and retailers.
It could be a while before we see something like the FIDO authentication protocol adopted worldwide, but it's a step in the right direction.
In the meantime, banking institutions need to enhance their cyberintelligence sharing with other industries and start shoring up their analytics and backend fraud detection systems.