Large-scale online fraud schemes and successful hacking attacks have become commonplace. Every day some new fraud attempt comes to light and it is clear that security still leaves a lot to be desired for. Banks and financial institutions worldwide have already acknowledged the dangers and deployed ample security mechanisms in order to secure their customers’ accounts and prevent cybercrime. Social media, e-commerce shops and enterprises – though may be reluctantly - are likely to follow suit as security awareness is rising due to the heavy mediatized hacking attacks.
More often than not, security is perceived as an expense by online service providers and SMEs alike. Data theft comes at a high cost however, and adequate security measures and mechanisms are more than a mere expense. Security can prevent companies from losing face, revenue, customers, credibility and legal battles. All too often this proves to be a lesson hard learned and companies lick their wounds after reported data breaches.
The data leaks that have hit the headlines are avoidable and are down to a string of lax security concepts: personal customer data, such as the password, continue to be saved without any or insufficient encryption. Many customer and employee accesses continue to be protected with obsolete systems. And companies continue trying to increase security levels on the basis of questionable recommendations.
Static passwords may become your downfall
Granted, most companies use a basic form of security with a static password and username logon. But time and time again, these static passwords have proven to be insecure. Fraudsters can easily intercept static passwords using phishing techniques, key loggers or dictionary attacks. The consequences can be disastrous. Exaggerated? Just think how likely the following scenario might become…
Imagine as a start-up company you are starting to break even. You have invested a considerable amount of time and money in your business and your customer base is growing steadily. All of a sudden, you notice that your customers are being lured away by your biggest competitor. Your entire customer base was published online by a hacker who was able to intercept your static password that secures access to your CRM-system. The blame is shifted towards you as the CRM-company isn’t responsible for the strength of the password you used. While you consider taking legal steps, the damage is done.
The burden is too often solely placed on the shoulders of the employee, customer or consumer. Should they be expected to come up with a new monster password containing digits and special characters every week ... and commit it to memory if you please? This kind of concept fails to find the right balance between security and user-friendliness.Furthermore, it is deemed too cumbersome to remember a list of different passwords for every service and application being used.
Tackle the password dilemma
Various breaches demonstrated that static password protection is insufficient. Password management is not only a stumbling block for consumers, but can be for website owners as well. Offering support for password management requires resources and can be a time-consuming and costly affair. So how to impose security in a cost-efficient manner without scaring employees, citizens, customers and potential customers away?
Protecting personal credentials or network access doesn’t necessarily need to be complicated. Strong two-factor authentication overcomes many of the objections raised above. By using strong dynamic passwords, commonly known as one-time passwords or OTPs, companies can easily circumvent the password dilemma. OTPs can only be used once and remain valid for a limited period of time. As a result, hackers can no longer reuse intercepted passwords or store them for later use. OTPs are typically generated by a soft- or hardware authentication device or application. Consumers do no longer need to remember every password they once created, as they generate a strong password every time they log on.
Different needs, different requirements
Security is not a one-size, fits-all solution. The same goes for two-factor authentication. An e-commerce site selling shoes has different requirements than a consultancy agency.
E-commerce and social media sites obviously require log-on security. Consumers need to register themselves and create an online account in order to purchase their goods or become a member of an online community. Access security seems to be pejorative; is the consumer really who he claims to be? Strong authentication using OTPs secures access to users’ accounts. Some e-commerce sites, however, require additional security measures, such as transaction security.
SMEs, in turn, are mostly concerned about data and network security. Is access to the network sufficiently protected? Can we guarantee that only authorized staff can access our business-critical data?
And what about e-government sites and applications? Citizens requesting online information or signing documents tap into a much larger database with hugely confidential information. The possible consequences of breached databases with millions of personal details from every citizen are not to be overseen.
For each of these requirements, different solutions are at hand.
Secure access with OTP-technology
OTPs are an efficient manner to secure access, whether to an e-commerce site, a website or corporate network. Different solutions and form factors – both hardware and software - guarantee that companies will find the authentication device that best fits their needs. From text-based authentication to hardware authenticators and applications that can be downloaded on any mobile device, there is a vast range from which to choose.
Off-the-shelf authentication solutions or plug-and-play authentication appliances cater to the needs of SMEs often confronted with a lack of budget and resources to deploy a dedicated authentication solution on premises. They can opt for a cost-efficient ‘authentication pack’ that includes the server back-end software, hardware authenticators and licenses for a limited user base.
Dedicated authentication appliances usually comprise an intuitive web-based administration interface, allowing IT administrators to assign authentication devices to employees in a straightforward manner. Both solutions ensure that only authorized people are allowed to access the network or certain files within that network. Each logon requires a username and a dynamic password generated by the authentication device.
Some companies are not keen on installing and maintaining an in-house authentication infrastructure. For them, an in-the-cloud authentication platform proves to be an excellent solution allowing them to easily integrate strong authentication for their websites or applications.
As it concerns a hosted solution, companies no longer require dedicated resources and investments in infrastructure to set up a secure online environment. The authentication process in the back-end is taken care of, from the server infrastructure to the deployment of authenticators. Concerns about availability and scalability can also be put to bed.
Cost-efficiency is a key factor too when it comes to rolling out a security. Many companies see an investment in a security infrastructure as a huge upfront cost with a minimal return on investment. By choosing for an outsourced authentication solution, companies need not invest in initial startup and infrastructure costs. They only pay for the capacity they have actually used. And on top of that, they gain a competitive market share that cannot be quantified. The value of customer retention and loyalty after all cannot be converted in nominal numbers.
E-signatures provide transaction security
Companies (e.g. e-commerce sites) requiring transaction security need to implement a higher level of security than dynamic passwords can offer. While identifying the user trying to access a website, OTPs cannot prevent transaction content from being changed. This is where electronic signatures come into play. Electronic signatures ensure that a transaction is not altered after being signed by the user.
They allow you to verify whether a transaction was initiated by the genuine end user and was not altered in transit. It prevents the fraudster from submitting transactions or modifying existing transactions. As a result, e-signatures offer the ideal security control against both local and remote man-in-the-middle attacks. E-signature authentication devices come in many flavors, from a simple signature generator to optical devices and WYSIWYS-solutions. WYSIWYS is an acronym for ‘What you see is what you sign’. Transaction data such as amount and account number are straightforwardly displayed on the authenticator’s screen for confirmation prior to transaction signature.
PKI safeguards data origins and integrity
A PKI infrastructure provides yet again a different level of security which generally isn’t required by a simple e-commerce site. Typically, e-government applications use Public Key Infrastructure (PKI). PKI enablesdifferent parties to securely communicate with eachother and reliably verify the identity of a user via digital signatures. PKI allows secure document signing with legal binding signatures and provides data integrity and non-repudiation. This allows governments and citizens to legally prove that a person sending a message has indeed sent that message and that the content of that message has not been changed. PKI is also often used in the legal, insurances and HR sector where signing legal binding contracts is part of everyday life.
There are different PKI authenticators available today. The most recognized is a smart card reader that enables citizens equipped with a digital ID-card to read and use the certificates stored on their electronic ID-card. PKI is also offered as a plug-and-play solution in the form of a USB-stick. The authenticators will be able to generate one-time passwords and digital signature and provide disk and mail encryption functionalities and secure storage. Rolling out a PKI infrastructure doesn’t necessarily need to be a complex task. Vendors offer zero-footprint solutions and even SIM-based PKI-technology. This option is extremely well-suited for mass deployments. Instead of having to personalize every device prior to customer distribution, end users receive a personalized SIM card, severely reducing the cost of deployment and renewal.
Security is not an optional feature to be implemented after the horse has bolted. Lack of security may have severe consequences and can result in destructed corporate images, severe revenue losses and liability suits. Strong authentication alleviates a lot of security concerns and can help build customer trust, credibility and can even become a competitive advantage. With a wide range of authentication solutions to choose from, companies will find a solution that fits their needs without compromising user convenience and cost efficiency. Corporate reputations and customer trust are at stake. Don’t get caught out!
About the Author: Jan Valcke is President & Chief Operating Officer of VASCO and has held this position since 2002. Valcke has been an officer of VASCO since 1996, from 1992 to 1996, he was Vice-President of Sales and Marketing of Digipass NV/SA, a member of Digiline group. He co-founded Digiline in 1988 and was a member of the Board of Directors of Digiline. Valcke received a degree in Science from St. Amands College in Kortrijk, Belgium.