Protecting user identity

Abrar Siddiqui, Vice President of Engineering at Callsign, helps answer five questions about protecting user identity.

Users have become increasingly frustrated with passwords, they are difficult to remember and we find that we often have to reset them just to transact with organisations. So much so, that 73% of consumers are wondering why they continue to interact with a business when authenticating online is so difficult.

A lot of this frustration stems from traditional authentication methods where a pin code is sent to the user via SMS to complete the sign-in process. SMS channels were not designed for authentication purposes and are easily compromised. Analog methods such as passwords were not designed for the digital world, and simply digitizing an authentication method creates an inherently flawed authenticator. SMS codes also create unnecessary friction and along with a password doesn’t prove that the person is the authorised individual they claim to be. Fraudsters using stolen credentials looks like the genuine user.

Fraudsters are familiar with all these flaws, and without the proper controls in place, they may be just a click away from stealing from an unwitting individual. The UAE has long been attractive for hackers due to the country’s perceived wealth. Around 83% of the UAE companies are seeing an increase in cybercrime attacks through phishing, email spam, malware, etc.

However, companies can take steps to protect their business and their customers from fraudsters. To do so, they need to ask themselves and answer a series of five questions when looking at the authentication process to make sure that they know who they are interacting with beyond doubt.

Is the session secure?
This is the first question security leaders should ask themselves, even before looking into a user’s identity. There are instances where scammers use man-in-the-middle attacks to gather information from unsuspecting users through an unsecured website.

By tracking unusual traffic, businesses can detect compromised sessions and secure a user’s digital identity before it’s too late.

Are you engaging with a real human?
Once a session is secure, companies must ask “am I engaging with a real human?” to ensure the user is not a bot.

When someone hears “bot” it’s rarely associated with something good. In the past, bots have made headlines by altering consumers’ perception of the media and even competing with humans. Currently, bot use accounts for 64% of Internet traffic, 39% of which is made up of malicious bots that read information and perform malicious activities.

These bad bots may be engineered to conduct a reverse brute force attack that utilizes stolen information from a data breach, and forces millions of login and password combinations into the system until a match is found. Instead of relying on a CAPTCHA to confirm whether users are human, companies can use behavioural biometrics to passively determine if someone’s physical interactions with a device align with human characteristics.

Unlike a bot entering information repeatedly during a brute force attack, human behaviour is very hard to replicate.

Is the user genuine?
Apart from detecting bots, companies must also confirm whether the human user who is attempting to enter a website is genuine and not an imposter.
Like finding out if a user is a bot or not, companies can use behavioural biometrics and location information to see if a user’s activity is legitimate by comparing to past interactions with a company’s platform.

These next two questions are where things get more difficult, yet essential to stopping fraudsters using more advanced tactics.

Is the user a victim of a scam?
Once a user accessing an account is determined to be legitimate, their access should be looked at with scepticism as it’s possible they fell victim to a scam. This can sometimes be a fraudster phoning the user claiming to be a bank representative telling them of a cyberattack and pushing a sense of urgency to transfer money to a new account controlled by the scammer.

To detect these types of attacks, companies will need to use advanced intelligence and dynamic interventions. Applying these together can, for example, help when a user is transferring a large amount of money to a suspicious account.

How can we manage risk and user experience?
Companies should reflect on the first four questions and ask how they can best strike the balance between exceptional customer experience and security while considering the benefits that behavioural biometrics can provide in bridging this divide. Authentication platforms that allow companies to do both by combining solutions into one platform are one group of viable options.
What we have learned from traditional fraud and authentication measures is that users won’t tolerate the disruption of their user experience, so organizations need to deploy the most robust security measures. These five questions allow organizations to assess their cybersecurity stance and determine the best way to leverage behavioral biometrics to seamlessly reduce fraud.