Tim Burton, Global Head of Solution Engineering, Callsign, explains how Callsign has carefully rethought the authentication process for the digital world with Its IDA approach.
With the pandemic further fueling the pace of digital transformation, can you list the signs of cyber-attacks that organizations should be aware of?
The year 2020 has been coined as the year of the pandemic; and we’re not only referring to COVID-19, but also the disruptive cyber pandemic that accompanied it. Cybercriminals have exploited the global situation, by launching an unprecedented assault on companies and individuals alike.
There are numerous kinds of cyberattacks, and with a more distributed workforce, organizations have become more vulnerable to threats that target the multiple endpoints that now exist.
When it comes to fraud, there are two types to consider, first-party fraud and third-party fraud which occur in organizations protecting access to something, such as data or credit. Organizations include Government, software companies or academia in terms of protecting access to citizens data, IP or research.
First-party fraud is usually classed as internal fraud, it involves a bad actor essentially representing themselves AS themselves, for example, a fraudster might apply for a loan they do not intend to pay back.
Third-party fraud is usually when the fraudster misrepresents who they are, common attacks take the form of phishing emails, social engineering to steal people’s credentials, and then credential stuffing and application fraud to use that information for financial gain. Fraudsters are increasingly adept at obtaining personal information from sources such as data breaches or identity theft. Bad actors often set up their own contact centers, expressly for the purpose of mining data; Research and advisory firm Aite Group found that 61% of all fraud cases can be traced back to a contact center. These attacks are common on banks and financial institutions.
Can you elaborate on AI-based Intelligence-Driven Authentication (IDA) and how it helps in threat detection?
Callsign’s Intelligence-Driven Authentication approach prevents fraud by combining AI and machine learning to positively identify genuine users whilst simultaneously detecting bad actors and threats.
Callsign’s Intelligence Engine collects thousands of data points including behavioural, device, and location then combines those identity traits with threat analysis information such as malware, or if bots are present. The data is analyzed using machine learning techniques to deliver a confidence score that the user is who they say they are, identity proofing. The Intelligence Engine learns from the first interaction and gets richer information with every subsequent interaction to build a unique profile for every user.
Our orchestration layer allows organizations to build dynamic polices based off the confidence score from the Intelligence Engine. It provides one central location to manage all policy decisions, journey mapping for users and orchestration. Organizations can make real-time authentication decisions and adjustments to the type of hardware, connectivity of personal preferences of the user. This also means the system can recognize bad actors and block transactions at the point of request which prevent costly call backs and further identity checks.
Finally, Callsign’s Authentication Suite allows the customers to define acceptable authentication methods and respects the end-user’s consent when using certain authenticators. In other words, it strikes the perfect balance between security, user experience and consent. Callsign’s Authentication suite uses multiple types of authenticators (both passive and active) to allow users to authenticate themselves to an organization by the method they choose.
The Callsign Authenticators can achieve all three levels of authentication.
Those levels are:
• Knowledge, or something a user knows such as a PIN, password or SMS one-time password
• Inherence or something about a person, like biometric and behavioural evidence. This includes keystroke dynamics, swipe, fingerprint or a privacy-preserving face authentication
• Possession or something you have, like a known device or hard-token.
Why are Government organizations predominantly targeted by the cybercriminals?
Firstly, the cybersecurity industry is seeing broad attacks across government but also banks and merchants, with cybercriminals trying to find the weakest links to take advantage of. In the GCC region, Government digital channels are well protected, so where attacks take place, they tend to be in the form of SMS related authentication compromise, social engineering and attacks on merchants who may be less well invested in protecting their channels.
The reason Government agencies are targeted by cybercriminals is because they hold valuable information about citizens and government policies. The volumes of data make it more attractive, bad actors only need to be successful once for potentially large gains. It is also true to say that the banks in the region are more regulated in terms of how they authenticate their users, so cybercriminals may target Governments because they represent an easier path back to banking credentials, especially if the Government site takes payments for citizen services.
Locally, the UAE’s federal entities witnessed an 11% jump in cyber-attack attempts in March last year, highlighting the need for stronger protection against the evolving criminal acts.
How well are these organizations equipped to handle such sophisticated cyberattacks?
Many organizations are over-reliant on mobiles to authenticate users. Authentication is fully reliant on hardware, using TouchID or FaceID for example. These are relatively easy to compromise, and the false positives vary greatly across devices, models and manufacturers. Using these mechanisms as single sign on to a Government site could compromise the entire linked ecosystem.
In addition, there is no evidence to bind the device to the user, therefore you are only as good as the weakest link and using only hardware and some form of password means it’s easy to get in and then get access to everything. Moving to software-based authentication such as three-factor authentication is more secure.
If Government organizations use a layered approach to authentication, one that can combine device, location, credentials, and biometric behavioural data to deliver accurate real-time identification, they will have the ultimate protection.
What solutions can Callsign offer to protect the Government entities from such intrusions?
What is important for Government, regulators, and organizations around the world to address is not just bad actors and fraudulent players. Fraud in whatever form is a symptom of a much larger issue which is that ‘Digital Identity’ is broken. By Digital Identity we mean, the traits an individual leaves behind in their online interactions, how they type, what device they use, the times and locations that they access the digital world. Current identification and authentication methods are inadequate because they have been taken from the physical world and put online.
At Callsign we have re-thought the authentication process for the digital world with our IDA approach.
We believe our unique approach to Digital Identity using software to identify inherent behavioural biometrics and then layering these over authenticators should be embraced to prevent bad actors of every type being successful.