Page 19 - index
P. 19
channel is compromised and the session itself is compromised. Details about the session
itself must be provided to the end user via a second communication channel for the end user
to recognize that something is wrong.
Typically the more security applied to a process the less convenient it becomes for the end
user. This is especially true if the user is required to overcome a multi-step process simply to
log in to an account. Especially in the light of the fact that exploits like Emmental are not
thwarted by a strong login process. Depending on the circumstances, it may be a better user
experience to apply authentication periodically throughout a user session instead of stacking
it at the beginning.
Requiring end user authentication of “post-login” activity, especially activity that affects the
account or transfer of funds, is one solution to these problems as well as threats similar to
Emmental.
For instance, an institution that is equipped with telephone-based, out-of-band authentication
services can employ those services for transaction verification vs. simply login
authentication. The end user can receive a telephone call that repeats transaction details for
approval. For end users equipped with smartphones or tablets, an encrypted messaging
channel to an app might be employed to deliver transaction details for approval instead of
SMS.
Thinking outside the box, applying additional authentication measures “post-login” need not
be related to only transactional verification. Imagine a process in which the end user uses a
smart device that scans a QR code as the last task before they log out to finalize changes to
the account. Behind the scenes, the QR code scan triggers a digital certificate
authentication. The user interface is clean and easy and products of this type are available
today. End users, after all, are familiar with signing letters, tax returns, and other documents
as the last part of a process. An end user will accept additional authentication layers more
readily provided they are streamlined and applied when a user already has invested some
time in account activity that is sensible to protect.
There are additional benefits when requiring out-of-band authentication for opening new
accounts or when making changes to existing accounts. Hackers often open multiple
accounts for one institution in order to move funds around and appear legitimate before
making a fraudulent transfer. An institution utilizing this technique adds a little friction to the
account registration process for a fraudster. A legitimate user will provide a phone number
readily. The fraudster establishing a single telephone number to many accounts relationship
is providing a data point that can be flagged as a risk point for examination. The fraudsters
can acquire multiple phones, but the extra work may simply cause them to go after an easier
target.
As described above, the ability to tailor an authentication process to counter different threats
at different points in the end user’s workflow is requisite for successfully thwarting modern
cyber-thieves. When considering authentication technologies an institution should have the
flexibility to choose which, how many, where and at what times authentication factors are
used to authenticate an online user or their activities. By layering authentication or
verification at natural points in the user’s workflow an institution will still be able to provide an
19 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
