The Trend Skeptic: Regulations Have Fixed Authentication

What was your high school mascot? In what town were you born? What was the make and model of your first car? If you do enough online banking, you’ve encountered these questions, and that’s bad news for security.

Fortunately, these “challenge” questions usually serve fairly benign purposes. They don’t often let you retrieve a password (if they do, you should shut the account down) but they act as a secondary or tertiary form of authentication. For instance, when banks use “soft” forms of two-factor authentication, such as secure cookies, these questions merely fill the gap in the event that the cookie has been removed.

For you tech geeks out there who constantly purge your PCs of temporary files and cookies, you’re more likely than most to be shuffled to weaker forms of authentication. The trouble is these questions are a heck of a lot easier to figure out than passwords.

Have you heard of MySpace? You’ll find plenty of information about home towns, cars, pets and other personal details that security questions ask about. What about those $20 public records searches advertised on Google? If I can figure this stuff out in my role as an armchair tech skeptic, imagine how easy these things are to crack for motivated cyber-crooks.

Is This Good or Bad?

These new forms of authentication were spurred on by the Federal Financial Institutions Examination Council (better known as the FFIEC) regulations, which required financial institutions to adopt multifactor authentication for online transactions. “Virtually all U.S. banks have some kind of enhanced authentication,” said George Tubin, senior analyst in Delivery Channels for the TowerGroup. “Ninety-five percent or so have something in place today, and we’re getting close to 100%.”

One of the drawbacks of the FFIEC legislation is it offers no guidance on how to achieve multifactor authentication. The mandate really just said to offer more than user names and passwords. Even so, the net effect has been overwhelmingly positive. “This is mostly anecdotal,” Tubin said, “I mean, banks won’t come out and say that they lost $12 million last year and only $6 million this year, but the reports are good. Fraud is down.”

Part of this is simple math—the barrier-to-entry mantra so familiar to emerging technologies. Raise the bar, even a bit, and you subtract the subset of criminals who have few skills; i.e., it’s harder for complete knuckleheads to rip you off. Similarly, due to the FFIEC, many attackers have shifted their focus, targeting other countries where standards are lax. Why bother with U.S. banks when it’s easier to crack those in, say, Eastern Europe?

Coming to a Data Center Near You

For enterprise IT, attackers moving elsewhere should be worrisome. As online banking security gets stronger, are you running the risk of being the Eastern Europe of U.S. industries? “Other industries aren’t moving as quickly as the financial sector, but many realize that user names and passwords aren’t nearly enough,” Tubin said. “There is a trickle-down effect.”

The trickle-down effect is troubling in its own right. If other industries adopt, say, challenge questions without realizing their limitations and risks, they could actually weaken security. Banks have found that challenge questions work best when asked to do little.

Then there is the money angle. Banks had to change. Regulations demanded it. Because of this, they could justify significant investments in security. Does your organization have the same mandate?

Even if you catch up with authentication, you could still be behind the curve when it comes to new types of fraud; making you an easy target as financial institutions improve their security profiles. Granted, your risks probably aren’t as steep as they are in the financial sector, but that could quickly change if attackers move from, say, consumer identity theft to corporate ID theft because it’s easier now.

Criminals are always using new techniques to get around strong authentication.

New Risks for the Enterprise

As the enterprise becomes more dispersed, relying on mobile workers, contractors, outsourced laborers and business partners, authentication is a glaring security weakness. The typical enterprise has not pursued multi-factor authentication as aggressively as, say, anti-spam solutions.