This week I am attending and presenting at couple of industry events: the Fraud Conference and the FICO-sponsored Fraud Women's Network. Both of these events are focused on the pervasive fraud threats posed online and the measures being adopted to improve cyber safety and security.
The events and the challenges of authentication in the online environment have brought to mind one of my favorite conundrums: "The more you take, the more you leave behind." The traditional answer here (spoiler alert!) is footsteps, but it could equally apply to one's online footprint. The larger your presence and engagement online, the greater the potential risk of data or credential compromise.
Past wisdom has suggested that adequate authentication defenses are vested in something you know (like a password or personal data) and something you have (such as a device, card or token), with a drive toward the introduction of dynamic, variable challenges rather than a reliance on simply static and time-agnostic data.
But this wisdom is being challenged as personal data content online becomes ever richer — especially through social media profiles — and availability of data increases as a consequence of insecure customer processes, compromised devices, or unintended or manipulated disclosure.
Current wisdom calls for the use of out-of-band (i.e., a different concurrent channel) authentication, geo-location and proximity correlation, and even behavioral biometrics (such as screen navigation). And the nirvana is, of course, the use of biometrics or something you are.
Whatever level of authentication is adopted, however, this should of course only be one element of a layered defense. To criminals, compromising personal credentials is interesting but is just a means to an end. Their intent is to use such data to plunder funds. So the way to best defend assets (data, goods, services, finances) is by running checks across every interaction on a holistic basis.
Over the last couple of days, industry leaders have focused on keeping an acceptable balance between risk exposure and customer experience. And this means that holistic checking needs to be seamless, and only interventional where the level of risk is high or the liaison with the customer demands it. This speaks to a sound enterprise fraud management approach.
Cyber risks may indeed be pervasive, but the more the payments industry takes a concerted and holistic layered defense approach, the more likely that compromises will be contained and potential loss mitigated.