Banks Heap Suits on Target Over Breach read a recent headline of a Wall Street Journal story. By that time, seven financial institutions had already filed class action suits against the retailing giant, alleging it did not sufficiently protect its customer data. They have a case, as a review of how the breach occurred shows that hackers accessed customer information despite the fact that the credit card security codes and debit PINs were encrypted.
Numerous other retailers have also suffered cyberattacks, but at 40 million accounts the magnitude of the Target bombshell heralds a call-to-arms for all retailers and any other businesses that allow consumers access to their accounts via the Internet. This includes diverse industries such as healthcare; education; hospitality; government; travel; and the very institutions behind the recent lawsuits, banking and financial.
The Risk Based Security and Open Security Foundation reported a record number of 2,644 breaches in 2012 where 70% was due to external hacking. A total of 267 million records were exposed and according to Javelin Research the dollar amount stolen was $21 billion, a three-year high.
Conducting business as usual will no longer suffice. To reassure and retain now-skittish consumers, any entity that engages in e-commerce must employ greater lock-down methods. ID authentication now requires protection that goes beyond ordinary PIN and passwords.
Some early-adopting businesses and institutions have already pegged biometric-signature authentication as a more secure approach to providing greater accuracy in customer verification. Given the advantages that the latest systems require absolutely no additional hardware; entail no extra expense by users; reside in the cloud outside a company business system; and allow for the monitoring of fraudulent activity, this subset of biometric verification is emerging as a strong new strategy of defense.
We have utilized signature biometrics for nearly three years with over 10,000 student users, and it has exceeded our expectations, says Dr. Mark Sarver, CEO of eduKan, a consortium of community colleges offering online courses and degrees. He says, We utilize BioSig-ID which provides an identity-proofing means that is transparent to our students while respecting their privacy, is available anytime, and stays cost-effective for the institution.
Biosignature identification is accomplished by having the user handwrite letters or numbers within a confined space by moving his or her finger, mouse, or stylus. Unique writing attributes such as length, angle, speed, height, and number of strokes get assessed and stored in an encrypted database. Software algorithms compare this data against patterns collected by the subsequent user logins, confirming whether or not they match.
Users log onto the website, handwrite four unique alphanumeric characters or symbols within the defined spaces, and, when confirmed, access their account. Industry accepted application program interface standards like SAML 2.0, SSO-IO communicate with the business systems of the retail, financial, healthcare, etc. institution employing this means of ID verification.
We outsource everything we can except teaching and learning as a means of fulfilling our mission to be accessible and affordable, says Sarver of eduKan. Since BioSig-ID is hosted by the vendor we can keep our overhead as well as our tuition low.
Many retailers and e-tailers have not implemented higher security measures because they don’t want their clients to spend additional time going through extra security. Extra time they believe may mean loss of clients and sales. What may be true is just the opposite. Consider that in 2010 Consumer Reports said there were 50M people paying $120-$300 yearly for identity theft protection. These are the same people who are concerned about using higher security to preserve their personal assets. It is likely they would pay a little per month for better security and tolerate spending more time if it meant less financial risk to them? Part of their willingness to accept newer security and even pay for same may be to provide them options that have a positive user experience.
Banks and financial services companies are increasingly vulnerable to identity fraud especially when users are accessing accounts online, states Tuck Ackerman, former FDIC Senior Examiner and FFIEC Program Manager who now serves as a consultant to Financial Institutions.
In 2001, the FFIEC issued financial institutions strong warnings on the need for better authentication techniques for online banking, with an emphasis on the need for a third component to better identify the person as the true authorized user. In 2005 they issued guidance requiring this additional authentication by the end of 2006, and in 2011 a third and stronger warning as supplemental guidance was issued.
Yet the industry has been slow to adapt, primarily because of the expense for additional hardware to better identify the person, and more importantly, the perceived inconvenience and lack of consumer desire, says Ackerman.
The use of biosignatures is a significant leap forward not only in security, but in the ease of use and customer acceptance category. Since users do not require any additional hardware or software, they can continue to access their accounts using basically the same process they have been accustomed to for over a decade, and that should translate into a high rate of user acceptance and satisfaction. This is an especially exciting breakthrough for the community banks and credit unions, Ackerman adds.
Biosignatures provides a solution that is easy to deploy, far less expensive, and it matches the more complicated security features offered by the larger banks while enhancing their customer service with additional security and no inconveniences.
Going one step further, the latest biometric authorization systems utilize audit trails to uncover suspicious activity by pinpointing the time, date, physical location and even the IP address of an unauthorized user who tries to access an account.
The ability to provide evidence of all the events surrounding the authentication activity not only provides a powerful tool to combat fraud, but also ensures compliance with evolving regulations that portend to mandate stricter standards of identity authorization.
As reported in a recent Los Angeles Times story, the White House has released voluntary guidelines for companies to fend off cyberattacks. More ominously, Phil Liberman, CEO of Lieberman Software and a cybersecurity industry veteran, was quoted in the same story as saying, Generally fines and other penalties are about the only thing that gets companies to fix their security. Businesses take note.
To conduct a test drive of biosignature technology, visit www.BioSig-ID.com. For more information, contact Biometric Signature ID at 708 Valley Ridge Cr., Suite 8; Lewisville, TX 75057; (877)700-1611 ext 1.