Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/30/2018
10:30 AM
Marco Lafrentz
Marco Lafrentz
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

10 Steps for Creating Strong Customer Authentication

Between usability goals and security/regulatory pressures, setting up customer-facing security is difficult. These steps and best practices can help.

More than 2.5 billion records were compromised via data breaches last year. When measured against the Ponemon Institute's estimated average cost of $148 per breached record, that figure equates to $370 billion in business losses. Each year, the average cost of data breaches is rising, according to Ponemon, and many experts say that threat actors aiming to compromise business and personal data are growing increasingly aggressive.  

Exacerbating this issue is the emergence of stringent data privacy regulations in recent years. The European Union's General Data Protection Regulation (GDPR), which was went into effect earlier this year, is the broadest, but a wide range of countries across the globe, and numerous states in the US are launching similar laws that regulate how data is processed, stored, and protected, elevating data protection beyond IT and information security departments and into the boardroom.

Under GDPR, any organization that sells goods or services to EU citizens, or processes their data, is required to comply, including implementing "appropriate technical and organizational measures to ensure a level of security appropriate to the risk." With today's sophisticated hacking, phishing, and social engineering tactics. Even strong passwords are no longer enough to meet this requirement or prevent a breach. To deal with the varying levels of system interactions and associated risk profiles, businesses must reassess their customer-facing security requirements. This is where multifactor authentication, the use of more than one means to authenticate a user's identity, is playing a critical role.

The Challenge of Customer-Facing Security
Consumers are placing greater emphasis on brand trust in their purchasing decisions and will judge that trust largely on the extent to which the brand secures their data. At the same time, they still expect a seamless experience that allows them to make online transactions from any device, anytime, anywhere.

And while multifactor authentication has been widely adopted by many businesses, rolling it out can be complicated and difficult, particularly in maintaining ease of use and access for customers. If security becomes a barrier, people will either look for a different provider or begin looking for ways to circumvent the security system. When this happens, the authentication system becomes less secure.

The perfectly usable system isn't secure at all, but it seems the perfectly secure system isn't usable at all. How do businesses reconcile the need to implement multiple controls for security and compliance, with the demand from consumers to provide ease of use?

Steps to Strong Customer Authentication
The best approach to designing multifactor authentication is to start with user needs and work inward. The implementation team should ask questions including these:

  • In the customer journey, how are the interactions and transactions connected?
  • How could fake customer accounts crop up?
  • Where are the compliance gaps?

It's also important to examine business process and lock down existing security holes before new methods are implemented, so that customer-facing authentication controls are instituted as part of a broader security architecture. Below are 10 steps to enable a seamless implementation.  

Step 1: Goal setting. Determine what business problem the organization is trying to solve and which regulations apply. Evaluate the sector-specific compliance requirements and best practices equally against the customer impact. Goals should be set based on the adage: "Fast, cheap, or good — pick two out of three."

Step 2: Situation analysis. Outline the entire customer journey and touchpoints to identify burning issues, assess threat levels, and determine where vulnerabilities exist. Consider which elements — such as password resets, purchases, account info changes — need the most security.

Step3: Research. Look for information on best practices from experts in the field, including consultants, analysts, and solution providers. Determine what is relevant to the results of the situation analysis.

Step 4: Provider selection. With clear business needs in hand, evaluate vendors by which ones can meet those specific needs. Don't fall in love with a vendor or a solution and then attempt to reverse-engineer the project.

Step 5: Implementation planning. Determine which stakeholders across the organization need to participate in the planning, and what resources will be needed to deploy the technology. Set milestones and timelines to keep the project on track.

Step 6: Testing. Decide what conditions should be met in the testing phase. Implement test cases and A/B testing on subsets of users on particular use cases, and then analyze the results to refine the program as needed.

Step 7: User education. Existing customers should be notified ahead of time that new security controls are being added, and why. Be sure to provide an avenue for customers so submit concerns and questions. It's also important to offer customers a variety of potential multifactor authentication options and let them choose. As much as possible, let them set up their preferred method before it takes effect.

Step 8: Deployment. Once testing is complete, adjustments have been made and users have been given the opportunity to express concerns, full deployment can move forward. Have a back-up plan in case of unforeseen problems.

Step 9: Monitoring. Enable monitoring for measurable outcomes that map back to goals, and allow stakeholders to follow and check-in on how the program is progressing/running. It is critical to monitor key indicators including error rates and customer satisfaction scores.

Step 10: Maintain. Security is not a one-and-done endeavor. It is a continually iterative process that must stay apace with new threats and risks. Maintain a security program that is adaptable to changes in the consumer, regulatory and cybersecurity landscapes. 

Striking the right balance between security and usability is the only way businesses can ensure ongoing consumer trust in their brand, meet the obligations they face under new regulations, and keep customers happy. The steps above are key to successfully executing a new multifactor authentication program, but organizations must also work toward establishing proactive attitudes toward trust and privacy. A strong internal culture of security along with a holistic approach will go a long way toward avoiding breaches and harsh penalties from regulators.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

As VP of ICMS and the CPaaS Business Line at tyntec, Dr. Marco Lafrentz is responsible for tyntec's person-to-person and cloud services business. As an expert in platform technology and enterprise solutions, Lafrentz leads tyntec's CPaaS development. He is also frequently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...