Finding strong customer authentication solutions is likely the single biggest security challenge affecting day-to-day online operations.
Weak authentication practices arguably hold the highest potential for direct damage to a company or individual account holder.
Some of the most devastating hacks of financial institutions of recent years have been accomplished via flaws in customer authentication protocols needed to access accounts. This includes the infamous Equifax breach, considered to be the most devastating hack in history in terms of size, scope and the type of information compromised.
So where is the weakest link?
While the direct hacking of banks is not unheard of, the biggest threat of cyber criminals impersonating an authorized user is not the direct attack scenario. The real danger lies in exploiting the weaknesses created by the growing industry of third party providers (TPP’s) that have become increasingly commonplace in the world of online payments.
Where did this weakness originate?
This threat is essentially the result of the decentralization of the action steps required to complete a digital transaction.
How exactly did this come to be?
Once upon a time the whole online payment process, from customer command, to customer authentication, to disbursement was held in the hands of one party–ie the bank. Today, with the explosion of online services that act as middlemen to transfer funds, the points of potential weakness that hackers can target has increased exponentially.
What makes TPP use for account access to concerning is the broad authorization left open by the bank including examining bank databases for information on balances, credit, and other financial obligations. In some cases, such as in the laws that govern TPP use in the European Union, banks are mandated to grant access to this information.
Tying up the loose ends
Banks on their part have obviously been very zealous in which TPP’s they allow access to accounts. Typically these institutions require that apps accessing their systems are equipped with additional layers of security such as two-factor authentication for their users. The issue, however, is not the questioning of the competence of banks or their good intentions of keeping unauthorized parties out. The very fact that the third party-option exists creates a new security vulnerability that simply did not exist previously. By banks relinquishing their authority as sole executors of account actions, they open the door for hackers to attempt to impersonate these service providers. This presents a whole new sphere for authenticator technologies to address.
Several options exist for securing the connection between banks and TPP’s. Some have suggested that Secure Socket Layer (SSL) certificates can be the answer. These certificates are the digital tools that establish an encrypted link between a server and a client, often indicated by the small green “Secure” icon before a URL.
Since these certificates are already used for direct client interaction with a bank, why not use them to secure third-party communication as well?
Here’s the problem though:
Certificates have their vulnerabilities. Cases of hacks accomplished through forged certificates has been growing over the past six years, demonstrating the ease in which SSL meddling can be used to gain unauthorized access. In one highly circulated case from 2015, in-flight service provider Gogo issued fake certificates to its own customers essentially exposing all of the internet traffic of their users.
Introducing a new paradigm
The ideal solution to securing customer authentication is a method that spans the entire chain of parties in a transaction. In such an environment, the use of traditional keys is practically impossible. Keyless authentication, such as we use here at Secret Double Octopus, allows strong authentication with both flexibility and seamless user experience. It even enables the removal of passwords if needed. The fact that a user isn’t required to remember a password, makes the authentication process easy and smooth.
By integrating an authentication scheme that is spread across the entire process, users will be able to take advantage of the convenience that TPP’s provide, while not compromising on their own account security.
The Case for Securing Remote Access Protocols Through 2FA