Brandishing Technology to Thwart Identity Thieves
The ease with which identity thefts were perpetrated, from stealing credit card or shoulder surfing at ATMs, on up to more elaborate schemes such as phishing and hacking into databases, has pushed the industry into overdrive in coming up with ways to combat the scourge, which sucks billions out of the economy and harms the personal lives of those affected.
The Federal Financial Institutions Examination Council, in guidance issued late last year, places most of the blame on the reliance on "single-factor" authentication, by which customers are asked to provide something they know, such as a user ID and password. The FFIEC recommends the adoption of two-factor authentication, in which customers are asked to provide both something they know and something they have, such as a USB token device or a smart card.
"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks," according to the FFIEC.
Among the recommended authentication techniques are shared secrets, tokens, and biometrics. Shared secrets, such as a customer's mother's maiden name, can be used as a supplement for passwords. Some institutions are asking customers to select an image, such as an animal, which is displayed at sign-in to prove that the institution's web site is authentic.
Tokens can take the form of devices that plug directly into a computer's USB port, or smart cards that fit into a reader. Another variation is a password-generating token, which displays a new password each time the token is activated, making that password useless for future log on attempts.
Biometrics run a gamut of techniques, including fingerprint, face, voice, keystroke, and handwriting recognition. To deter hacking into biometrics databases, researchers at IBM have developed a system of "cancelable" biometrics, in which biometric data is transformed according to a preset algorithm. If by chance the transformed biometrics are stolen, the institution or other record keeper need only change the transformation algorithm, thereby rendering the stolen biometrics useless.
Another, decidedly lower-tech, authentication technique is a one-time password scratch card, similar to a bingo or lottery card. Each time a customer logs on, he or she is asked to scratch off a portion of the card, revealing a unique password. When all the passwords have been used, the customer is supplied with a new card.
Mutual authentication is a technique in which both the customer and the institution are required to authenticate themselves. The secret image described earlier is one type of mutual authentication; another is the use of digital certificates. In each case, the customer is assured that the institution's web site is genuine, not some spoofed site.
So-called "out of band" authentication techniques also exist, in which the customer is authenticated through a channel other than the one he or she uses to initiate the transaction. This is especially useful for large-dollar transactions such as funds transfer requests, where the institution telephones the customer asking for a predetermined word or phrase before processing the transaction. The phone calls can be generated by an automatic calling device, equipped with voice recognition technology, thereby eliminating the possibility of human error.
Still more exotic techniques are available. Some software companies are offering "IP Intelligence," which traces Internet-based requests back to their source based on the customer's known Internet protocol address, domain name, geographic location, and other properties. If the Internet protocol address of the requestor matches the customer's known address, then the session is validated.
At the end of the day, it's up to the institution to decide which authentication technique fits in best with its risk exposure, which can be determined by either internal analysis or through a third-party security firm. Many, if not most, identity thefts occur through carelessness in not guarding one's identity, such as divulging a Social Security number. While technology can go a long way toward preventing the hijacking of accounts, an identity theft prevention program must also include education for both the institution's employees and its customers. The investment in time and money is small compared to the havoc that a breach of customer identities can bring.