|
The Internet has created significant opportunities for organizations to move processes online, benefiting both from the delivery of new services as well as the reduction of costs versus traditional transactions. However, with this opportunity also comes inherent risk — especially in the absence of appropriate security to protect the identities of users online.
Even today, organizations are still experiencing a rapid increase in the incidence of online identity attacks. Typical attacks to perpetrate these crimes include phishing, man-in-the-middle and malware, and result in the rapid increase of online user identities being stolen at an alarming rate. As reported in February 2007, financial institutions were the targets of 92.6 percent1 of all online phishing attacks.
These attacks are a risk to organizations not only because of the financial losses but, more importantly, they undermine user confidence in online services — preventing organizations from fully realizing the savings from online transactions compared to the traditional phone-based or brick-and-mortar channels.
Taking steps to increase protection of user identities is becoming an imperative for any organization that wants to continue leveraging the Internet to extend services to customers. This whitepaper will explore these issues and offer innovative new tools for combating the threat of online identity fraud.
The Threat to Online Identity
Organizations are relying on the Internet more heavily today than ever before to reach their customers and partners. For the Internet-savvy customer, it provides a more convenient way of accessing services and performing transactions. For the organization, it can translate into a competitive advantage as well as delivering significant cost savings versus traditional phone-based and brick-and-mortar transaction methods. Further, in a multi-channel environment, online services can help increase customer retention by being an effective way of delivering new products and services.
At the core of performing online transactions is the need for mutually recognized identities. Users need to feel confident that they are transacting with the intended organization. Likewise, the organization needs to have confidence in the identity of the user. Without this mutual trust, online transactions cannot be completed without significant risk of misrepresentation and fraud.
In the past, username and password authentication has been deemed sufficient to meet the needs of many online transactions. However, the rapid increase in online identity-related fraud shows that passwords alone can no longer counter the ever-increasing sophistication of online identity attacks.
Rapid Increase in Identity Attacks
Identity-related online attacks such as account hijacking are amongst the world’s fastest-growing crimes. In one example, Gartner reported that in the 12 months leading up to August 2006, almost 15 million Americans were victimized by some type of identity-theft-related fraud. In addition, fraud losses increased to $49.3 billion in 2006.3
Compromise of a user’s online identity can allow an attacker to gain access to a victim’s online accounts, including their bank account. Once access to the victim’s bank account has been gained, criminals will typically transfer funds from the account, as well as acquire more personal information to perpetrate further crimes. This type of identity fraud is alarming since the perpetrator need not reside in the same region as the victim, nor have access to any physical documentation. From virtually anywhere in the world, thieves need only trick a user into surrendering their password and the rest becomes a simple process of executing online fraud.
Even though stronger authentication policies are becoming commonplace, reliance on simple passwords in the majority of online transactions allows identity fraud to continue to thrive. Two major forms of online identity attacks clearly demonstrate the frailty of password-only authentication schemes. Phishing and man-in-the-middle attacks rely on the use of “spoofed” e-mail messages and other techniques to direct users to fraudulent Web sites where their online credentials (i.e., passwords) are stolen. By fooling victims into divulging their usernames and passwords, attackers can gain access to the victims’ accounts. Malware attacks use different, more invasive techniques to steal the user’s identity, but the end results are the same.
Phishing attacks are accomplished by counterfeiting the trusted brands of well-known banks, online retailers and credit card companies in e-mails to potential victims. These e-mail messages prompt users to go to fraudulent Web sites where the user itricked into submitting a valid username and password into what appears to be a legitimate log-in page.
|
