Security Experts Discuss Authentication Challenges in the Financial Services Sector
Robert Capps, left, of Mastercard speaks with ISMG’s Nick Holland at RSA 2020.
Improvements in behavioral biometrics and analytics are changing the way many financial services firms approach authentication. And more companies also are taking a “zero trust” approach to improve identity and access management, according to two security experts interviewed at RSA 2020.
Robert Capps, vice president of market innovation at Mastercard, says it’s essential that financial firms use new tools to verify identity for online consumers.
Capps came to Mastercard in 2017 when the company acquired NuData Security, which provides behavioral biometrics tools to help prevent financial fraud.
The use of new types of security tools to help with authentication, as well as identity and access management, comes at time when cybercriminals are changing their methods when targeting financial organizations.
In October 2019, the FBI issued a warning that cybercriminals were using social engineering and other techniques to circumvent multifactor authentication. The agency urged enterprises to use more sophisticated techniques, such as biometrics or behavioral authentication, which includes using geolocation data or IP addresses, to help verify a users’ identities (see: FBI: Cybercriminals Are Bypassing Multifactor Authentication)
Capps says that when completing in-person transactions, individuals can prove their identity by showing ID cards or credit cards or having their face scanned. “We don’t have those tools today within the online realm, at least not in broad distribution to consumer use, to allow us to have that solid identity for a consumer, so we’re forced to work through probabilistic means,” Capps says.
By analyzing behavioral indicators – such as device location, the customers’ use of the technology and how they interact with it, and when they normally transact and from where -organizations are better able to verify a customer’s identity, Capps says.
These technologies are also helping provide friction-free experiences for consumers so they don’t have to pull out their phones, read a text message and then typing it a temporary passcode, Capps says.
Knowing user behavior is also key to creating effective and successful zero trust initiatives, says Stan Lowe, the global CISO of Zscaler.
Lowe says in an interview with ISMG that the key tenets of zero trust are allowing access to corporate networks based on what is known about the individual and their identity, the device used to access the network, the location of the device and the sensitivity level of the data being accessed.
New Attack Methods
Capps says that while many firms have deployed technologies for detection of automated threats, these only work when the cybercriminals are not trying to hide the volume or speed of attack traffic.
In recent months, however, Capps says there has been a rise in attackers using low-speed, nuanced attacks. The attackers are not using the same data points repeatedly, instead spreading their traffic out across a large volume of IP addresses, he adds.
“They’re actually executing things like Java script, and they’re allowing collection of typematic telemetry and mouse movements and other behavioral elements, so that those transactions look a lot more human,” Capps says.
Focusing on identity assertion is key to protecting consumers and the commerce ecosystem, Capps adds. “Organizations really have to understand who is transacting with whom and make sure that people asserting those identities are the real people or the real organizations.”