SECURITY

Stronger Authentication Measures on Tap to Battle Fraud

Michael Steinhart | Date: 11-17-11 | Comments

Companies must consider the risks associated with different transaction types in order to figure out how much security is necessary. Experts recommend strong authentication measures be put in place to protect businesses and customers alike.

There�s no question that identity theft and financial fraud are on the rise. The Federal Trade Commission received 250,854 complaints about identity theft in 2010�the highest of any category. For the eleventh straight year, consumers were most concerned about it.

The most popular types of identity theft involve criminals stealing victims� identities so that they can drain bank accounts, exploit credit card information and even apply for government benefits.

The rise in smartphones is also setting the stage for mobile-banking fraud, where hackers can steal information via WiFi or via malware on mobile devices. According to one study, instances of malware on Android phones grew 400 percent between the summer of 2010 and the spring of 2011.

To combat these threats, many industries have adopted far-reaching security guidelines. For banks and other finance-related companies, the Federal Financial Institutions Examination Council (FFIEC) is the group that issues guidance on how to protect sensitive transactional data.

In June 2011, the FFIEC updated its guidelines with recommendations for risk assessment, strong authentication, layered security and customer education.

Companies must consider the risks associated with each type of transaction in order to figure out how much security it requires. For example, commercial clients may warrant tighter measures than individual consumers, and systems that conduct a high number of transactions may need greater protection than less-busy systems. As always, companies must also consider the impact of a breach and the potential damage it can cause to reputation, future business and operational budgets.

When rolling out�or more likely updating�an authentication strategy, experts recommend strong measures that are becoming more advanced and more affordable at the same time.

In general, authentication involves something you know (like a password), something you have (an ATM card, for example), or something you are (biometrics like fingerprints). Strong authentication schemes combine two or more of these factors.

The latest authentication technologies include the following:

Real-time transaction verification, where the bank or store calls the customer�or sends a text message�prompting the customer to confirm the transaction.

Soft tokens, which are mobile applications that generate one-time passwords at random.

Device profiling, in which the system records identifying details about the customer�s device and raises concern when a different device is used.

Out-of-band credentials, in which log-in requires a password and a separate verification via text message or email.

IP geolocation, in which users register the locations�such as a particular county or a particular Internet provider�where they conduct shopping or banking, and the system raises the alarm if transactions are coming from other places.

Authentication measures like these can ensure that customers and their data remain safe from prying eyes, and they can keep a business in compliance with government and industry regulations, too. As long as a business picks a solution that doesn�t place an undue burden on end-users, and it takes the time to explain these new measures thoroughly, the business should see widespread adoption plus more satisfied and comfortable customers.