The Fraud Blog with Tracy Kitten

Retail Breaches as Catalysts for Action

Why Authentication Needs to Change
Retail Breaches as Catalysts for Action

Retail breaches have put a spotlight on payments risks, a hot topic during this week's BAI Payments Connect conference in Las Vegas.

See Also: How to Take the Complexity Out of Cybersecurity

The breaches suffered late last year by Target Corp. and Neiman Marcus could have positive long-term implications if they, indeed, serve as important catalysts for change.

For example, the migration toward enhanced payments technology - chip and PIN - could get a boost from all the attention to payments system vulnerabilities that the breaches generated.

The retail breaches have gotten the attention of Congress, which is considering how to spur more cyberintelligence information sharing and whether more regulatory oversight of payments security is needed. And breaches have exposed security vulnerabilities associated with weak authentication that relies on usernames and passwords and highlighted why ongoing vendor management and risk assessments are so critical.

The revelation that Target's breach was likely caused by a vendor illustrates the need for more security education (see Target Vendor Acknowledges Breach).

What's more, the notion that this vendor may have been hacked because an employee's authentication credentials were easily compromised proves we have a long way to go.

Weak Authentication

These same authentication vulnerabilities are exposing users and employees across all sectors, including online banking.

Weak authentication is often a key enabler of cyber-attacks, paving the way for subsequent fraud losses. Yet we still struggle to make sufficient strides toward strengthening authentication in all sectors, including online banking.

Compromised online-banking accounts, which resulted in accounts being taken over by fraudsters, spurred federal regulators in June 2011 to issue an update to their online authentication guidance for Internet banking transactions (see FFIEC Authentication Guidance: Final Update Issued). In response, banks and credit unions have spent millions on enhanced fraud detection and prevention technology as well as ongoing educational campaigns.

Yet account takeover continues. And poor authentication, either at the bank or customer level, is often to blame.

During a panel discussion that I moderated at BAI Payment Connect about fraud liability in the wake of an account takeover, cybersecurity attorney Joseph Burton said it best: "We have to get away from authentication of the user and go toward verification of the transaction. It's the only way we are going to secure transactions," and ultimately stop account takeover fraud.

Rather than relying on a username and password to authenticate a user, banking institutions should be rely more on technology and processes to verify the authenticity of the transactions themselves, through device identification, geo-location and IP addresses, to name a few, Burton explains.

The risks posed by weak authentication practices also were highlighted at the recent RSA Conference 2014 in San Francisco. Now the FIDO Alliance is spearheading the launch of an international authentication protocol that would ultimately remove the need for usernames and passwords. FIDO is pushing for the adoption of its protocol across all industries in all sectors to ensure uniformity.

The problem, though, is that cybersecurity risks are not well understood in most sectors, including retail. Banks and credit unions, because of their work to thwart account takeovers, are ahead of the game. They appreciate the need for stronger authentication. But banking institutions still need to do more to encourage, and in some cases force, their customers to adopt stronger authentication practices.

Work is already under way to encourage more cyberintelligence sharing between bankers and retailers.

It could be a while before we see something like the FIDO authentication protocol adopted worldwide, but it's a step in the right direction.

In the meantime, banking institutions need to enhance their cyberintelligence sharing with other industries and start shoring up their analytics and backend fraud detection systems.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.