The FBI’s report on identity theft for 2005 makes fascinating reading: during the year, 8.9 million people were affected, at a total cost to business and individuals of $56.6 billion. The cost per victim averaged $6,383, a figure expected to rise in 2006 as fraudsters devise smarter, more focused scams.
Not surprisingly, the FBI signs off its report by concluding that the whole question of online identity is a massive headache – for the state, for business, for the citizen. But unlike many of the other interested parties, the FBI has a duty to do something about it – it is responsible for protecting US citizens from online scams, fraudulent “phishing” emails, and to pursue the perpetrators.
So how many cases of identity theft did the FBI have on its books in 2005, the year phishing broke into the public consciousness? An onerous 49. From those, 11 arrests were made – a satisfying 275% increase on 2004’s number of four.
“In the priorities of the Bureau, it’s not very high,” admits Christopher Sadlowski, special agent with the FBI’s cyber-criminal squad in the high-tech nexus of San Francisco. Internet fraud ranks “last” within the cyber division, itself less important than terrorism and foreign counterintelligence.
Sadlowski says the majority of crimes originate outside of the US: he mentions Nigeria and Eastern Europe in particular. So law enforcement covering just one country has little hope of tracking down – let alone extraditing and convicting – foreign cyber-criminals who have in many cases developed highly organised, professional networks, with their own multi-national structures and division of duties to specialists. “It’s frustrating – it’s the nature of the beast with the Internet that there are no boundaries any more,” he says. “[Law enforcement] has to change and it is changing, but, boy is it slow.”
In that context, businesses with valuable intellectual property or electronically accessible financial assets are left to protect themselves. In most situations, they have succeeded in securing their own networks, but that leaves the more daunting task of protecting a greater point of weakness – their customers. The trouble is, organisations, like the FBI, are struggling to extend traditional, centralised concepts of security to an environment where individuals and their devices are outside of their control.
“The security perimeter has extended. We now have to look at our customers’ networks as an extension of our own."
Leo Cronin, Lexis Nexis
Just ask information service provider Lexis Nexis. In the aftermath of a major security breach affecting 300,000 customers, the company’s senior director of information security, Leo Cronin, sees the ongoing threats as a tough nut to crack. “The perimeter is still there but now it’s extended to our customers,” he says. “We now have to look at our customers’ networks as an extension of our own.” However, prescribing specific security controls is tricky because “every infrastructure is different”.
Addressing such an issue requires a completely new security architecture. “I really think passwords are dead,” he says, “so we’re looking at two-factor authentication.”
While network and application security and back-end fraud detection (see feature, Fixing the odds) are crucial elements in preventing fraud, the personalised attacks of today’s fraudsters demand a personalised response. Companies are finally starting to deploy to customers stronger kinds of authentication, such as the passcode-generating tokens (manufactured by RSA Security, Secure Computing, Vasco and others), smartcards or newer devices like fingerprint or signature verification pads.
In April, HSBC announced it was deploying two-factor authentication, in the form of Vasco’s one-time password tokens, to its 180,000 business customers for online banking. As well as protection from spyware, phishing and other attacks, HSBC says ease of use drove its not-inconsiderable investment.
The tokens provide a similar level of security to the digital certificates they are replacing, but HSBC hopes the key fob-sized devices will be simpler and so drive uptake of its many dormant online accounts, which are far cheaper for banks to administer than traditional phone or branch interaction.
The highest profile pilot programmes in strong authentication may be underway at the financial services institutions, but the work being done in these high-risk areas points to the steps that many businesses – large and small – will inevitably have to take to secure their porous perimeters.
Financial institutions are usually reluctant to talk about the mechanics of their security, but that is not the case with Alliance & Leicester. The UK bank is eagerly broadcasting news of its new authentication technology, which uses customers’ PCs to identify them (see box below). Security – IT’s equivalent of insurance payments – is becoming a revenue-generator.
“The biggest advantage [of two-factor authentication] is an emotional one,” says Tom Brady, director of strategic accounts at Secure Computing. “The user knows this is a more secure way of doing business. And the marketing department loves that: it proves the bank cares about you.”
But that does not mean information security officers are in for an easier ride. Conversely from HSBC, Alliance & Leicester chose not to give out tokens because of concerns that customers might find them difficult to use. These – as well as scalability issues – put consumer authentication worlds apart from the identity systems that employees might already be used to.
“It’s very different to what we use internally,” says Jonathan Wright, head of development in ecommerce at Alliance & Leicester. “We have tokens for a limited number of users; that keeps the cost within a threshold. The system we use to do the actual identity management for Internet banking is physically, and in every other way, different to our internal ID management. I perceive them as two totally different things.”
For companies looking to authenticate partners, not consumers, the task of marketing security as a benefit is not so easy. Tobacco manufacturer and wholesaler Gallaher Group is rolling out smartcards to its employees and one-time password tokens to its hundreds of partners, but the IT department initially found it a struggle to get internal backing and funding for the system.
“I wanted something scalable, flexible and secure that didn’t cause headaches any more – but this problem was only ever visible to a few people,” says Blandine Mareclin, group chief technical architect at Gallaher. “We knew we had a [security] problem but management never complained about it. People take what they have for granted.”
Nevertheless, she was able to get funding for a new SSL VPN system, sourced from ActivIdentity, by pitching the enhanced security as an improvement to their “antiquated” remote working system.
“Employees’ smartcards go well beyond remote access, and are also used for single sign-on which our partners don’t need,” she says. “We have a very strict policy internally of configuration of devices, but we do not control our partners’ endpoint policies. So we give them tokens and ask them to certify that they have anti-virus software installed and a security layer.” Gallaher can now authorise new requests for access in days rather than weeks.
Gallaher faced little resistance when giving tokens to its partners, but not every company is so lucky. Stuart Okin, a partner at IT services company Accenture, describes one manufacturer that wanted to authenticate its 140 partners through the same system it used for employees: “The partners would not replace their own authentication processes. They wanted to prove themselves locally and then pass on the transaction.”
This is the idea behind federated identity, whereby users are authenticated once by a central body and then can roam freely within a trusted group of sites. But such a system has yet to make it to the mainstream.
Security infrastructure provider Verisign recently launched VIP, an attempt to apply the system pioneered by credit card operators Mastercard and Visa to online credentials. Verisign takes on the burden of authentication centrally, so individual companies do not have to issue and manage tokens themselves.
Verisign has already signed up eBay, Yahoo, Motorola and SanDisk, a memory stick manufacturer, to provide and use open-standards authentication credentials. However, other federated identity standards and service providers – backed by companies such as IBM, Microsoft and RSA Security – are competing with VIP, so consumers are still likely to be using several different authentication methods for some time to come. In any case, for trusting entities like banks, any such system involves complex control and liability issues that cannot be resolved solely by a service provider.
These federation schemes sidestep one of the most contentious issues around authentication: form factor of the authenticating device. Opinions diverge based on different prioritisations of cost, convenience, manageability and protection.
While it offers free anti-virus software to its 1.6 million active online banking customers, Barclays is still weighing up its authentication options. “We are absolutely committed to two-factor authentication,” says Ian Morgan, the bank’s head of electronic banking channel development. “We are projecting to deliver it in 2007, and at the moment it is likely to be based on chip and PIN.” Barclays decided token or even text-messaging systems are unsustainable, due to the existence of mobile-phone malware and ‘man in the middle’ attacks that tokens cannot prevent.
“Everyone is running away from the simple password,” says Gartner analyst Ant Allan. “Everyone knows what they don’t want to do, but where they run to is a matter of individual choice.”
Usability is a big factor in consumer rollouts, but in business-to-business authentication, matching security cultures and processes is often more of a priority.
Peter Tippett, CTO of security services provider CyberTrust, says that tokens are “one of the most cost inefficient ways to improve identity security”, estimating each one costs $30 a head to buy and another $20 a year to manage.
“The closer you get to the end user, the harder it is to get tokens to work: users lose them, leave them next to the machine. It brings no value and becomes an administrative nightmare.” He says ‘soft’ tokens provide a similar level of security as hardware ones, at a fraction of the cost.
Andreas Wuchner, head of global IT security at pharmaceutical company Novartis, believes the ideal authentication device would be wirelessly enabled, trusted as a hardware certificate, and know where the user is and what data they are working with.
Accenture’s Stuart Okin, meanwhile, is an advocate of smartcards, for their potential for multiple uses, thus bringing down overall cost and increasing user acceptance.
This is the philosophy behind the move by UK payments association, APACS, to develop a standard card reader that can be used with chip and PIN debit and credit cards during ‘card-not-present’ transactions. Readers will be interoperable between banks, although standards and how any programme will be paid for are still being negotiated. But the advantage is that it would provide continuity of experience across different channels of transaction, improving usability and uptake.
But, as always, every security investment must be balanced against the cost of leaving the vulnerability unpatched.
“E-crime is a major problem in financial services, because that’s where the money is,” says Stephen Bonner, director of technical security at Barclays Capital. “But it’s worth putting the losses in context.” Cheque fraud cost UK banks £40.3 million in 2004, according to APACS, but online fraud cost £23.2 million. While e-fraud increased by 90%, it is still – in pure monetary terms – a smaller problem than offline scams.
However, he adds that security investment is a different beast when it faces outwards. “We want the customers to feel safe online. But there’s always more to be done.”
Alliance & Leicester is the first bank in the UK to roll out two-factor authentication to its entire online banking customer base. The bank saw demand for online banking almost double in 2005 – but so too did fears about its safety.
“We wanted to address the customer perception that banking online isn’t secure,” says Andy Muddimer, head of online banking at Alliance & Leicester. “Banking online is a very safe way to manage an account, but we wanted to address that perception.”
Confidence levels in UK online banking have deteriorated in recent years. A recent YouGov poll found that 54% of bank customers were more worried about online fraud than they were two years ago.
Alliance & Leicester wanted a proven technology that would not be too difficult to use; something that would encourage usage, not put customers off. Rather than the token approach trialled by Lloyds TSB, the UK’s largest previous experiment in authentication, Alliance & Leicester chose to implement a system that identified users by their PCs.
“For us it was important to have something that gave a level of protection over and above the existing industry standard,” says Muddimer. “This was by far the easiest solution out there.”
The technology, sold by Passmark (now a division of RSA Security) had already been rolled out to Bank of America’s 15 million online customers. As it did not require the purchase, delivery and management of a physical device, it was also cheaper than tokens. While usability and security were the drivers of the project, cost was “a bonus”, says Muddimer. “A report by the financial services authority said that consumers expected banks to protect them. And they wouldn’t expect to pay for that protection themselves, so our approach had to be cost effective.”
A five-digit PIN, a selection of ‘cherished data’ questions and a password are all captured prior to setting up online banking. For every new device users register as their own, they have to answer predetermined questions based on these details. When users first arrive at the site, they are shown an image and a familiar phrase that they chose during registration, so that they know the site is genuine and it is safe to enter their PIN.
To ensure customers were able to use the new system, Alliance & Leicester tested a prototype site. “The main amendment was when we changed over from the old site to the new site. The key was to transition customers effectively so they knew that this was now part of the everyday log-in – and that if they are not on their personalised site they shouldn’t put in their details.”
The system took six months to deploy, and with advice from the Bank of America, went smoothly. But the area of greatest risk was in the transition from the old system – a confused user base could have launched an avalanche of helpdesk calls.
A month before the new launch, the bank wrote a letter to all their active customers to inform them of the changes: “Given what we were seeing in terms of phishing, email was not really the right sort of media to tell them about changing our security!” says Muddimer. A marketing campaign, itself benefiting from the new system, also kept users informed.
Muddimer says that Lloyds TSB had become a target for fake bank sites and other attacks taking advantage of the confusion around its trial of new security measures. To avoid this, he made sure there was as small a window as possible between the announcement and the new launch, minimising fraudsters’ opportunities. “We weren’t phished at all during that [month].”
Alliance & Leicester expected a dip in online banking registration and usage as customers adjusted, but in fact it spiked. While the bank also launched new offers and services that might have prompted the growth, says Muddimer, “some of the explanation for that would have to be put down to the new security.”
Further reading in Information Age
The price of freedom - Editor's letter, June 2006
Fixing the odds – how real-time transaction analysis prevents fraud, June 2006
Log-on lifesaver – Two factor authentication at Addenbroke's Hospital, April 2006
Identity crisis – Identity management roundtable debate, November 2005
Strong authentication can be effective – opinion from Forrester Research, May 2005
More articles can be found in the Security and Continuity Briefing Room