Which Identity Proof Works Best?

Editor at Large

The existential question "Who am I?" has no clear answers in spite of a rush of technologies designed to prove identity.

In a debate over the right choices for multifactor authentication (biometrics, SMS code, knowledge-based authentication, etc.) at CyberSec 2016, Gary McAlum, chief security officer at USAA, said none of them are a silver bullet.

"We're never going to use just one thing to authenticate," he said. "There are going to be a lot of things, some of them passive, some that are active in the context of a particular transaction or interaction."

McAlum favors the use of biometrics such as fingerprints for authentication. USAA combines biometrics with device identity, randomly generated tokens and other elements he did not disclose. Technologies like tokenization, geographic location and behavior patterns are likely to become part of the answer, too.

Not everyone believes in biometrics. "I've never been big on biometrics except for personal physical security," said Frank Abagnale, who has advised the FBI on cybercrime for more than 40 years and is the subject of the book and movie "Catch Me If You Can."

"When you think about it, you leave your fingerprints everywhere, on glasses, bottles, pens, all the things you use," he said. "Anyone can pick up your fingerprint. Replicating your fingerprint with today's technology is a simple thing to do. You can take a print with a gummy bear, put it on an iPhone and open the iPhone. We love fingerprints for identifying a criminal who's committed a crime by cracking a safe. For access to biometric security, it's not that great a tool. And I don't know that I would trust a credit card company with my DNA, so that will always be an issue as well."

A popular refrain among biometrics naysayers is this: You can reset your password, but you can't reset your fingerprint, eyeball or face. This point was made a lot around the time of the data breach at the Office of Personnel Management, in which photo images of 5.6 million fingerprints were stolen (along with the Social Security numbers and addresses of more than 21 million former and current government employees) .

"The actual raw biometric was stolen -- that's a far worse problem," said Sunil Madhu, chief executive of Socure, an authentication startup that uses social media networks as part of its scheme. The moral is, "Never trust any one single authenticator, no matter what it is," he said.

Ori Eisen, founder of security startup Trusona (and before that, 41st Parameter), pointed out that anti-replay technology can tell if a biometric was just created or if it is a rehash of something captured a week or more ago. "Any biometric system that doesn't have anti-replay baked in it, you shouldn't even touch it," he said. "Anything else is just fooling ourselves and giving us a false sense of security."

Another authentication method, knowledge-based authentication (aka challenge questions), got mixed reviews from the group.

"Call the call center and they ask you annoying questions: What zip code did you live at 14 years ago? Who serviced your mortgage? What was the name of your first car?" Madhu said. It "has proven to be completely useless because those questions can be answered by buying data over the Internet for $4. Or trolling through Facebook profiles to figure out the answers to those questions."

Yet there's a case to be made for knowledge-based authentication. Fallible as it is, it is also lightweight and convenient.

"By itself, KBA is a very low bar and not too useful," McAlum said. "But in conjunction with other things, I think it can still be useful today."

McAlum recommended the use of questions generated on the fly by a service such as LexisNexis. Madhu endorsed using data that only consumers and their bank could know, such as how much they have in their savings account and where they made their last purchase.

Another viable option is passive biometrics. "There's a bunch of new vendors out there that do things like figure out which hand you usually hold your mobile device on, how fast you type or how hard you press your iPhone app when you press buttons," Madhu said.

The use of SMS messaging for authentication has gotten a bad rap lately because hackers or malware can redirect them or use them in social engineering attacks. "I would not do SMS messaging for the simple reason that I can call your [telephone company] and convince them to route all your SMS messages to me," Eisen said. "Ask the guy who runs the Black Lives Matter campaign; he had SMS takeovers of all his accounts including Twitter."

Tricking a telephone company is a simple matter of providing a mother's maiden name, which can be obtained easily over the internet, he said.

McAlum agreed cellphone-number fraud is a real concern. "I also know that telcos, like the one I use, are rapidly moving to a stronger authentication environment. So this is all about the weakest link in the chain." For certain applications, one-time codes sent over SMS text make sense, he said. "In some cases, it's either that or have a really strong password, and I don't like passwords."

Eisen supports the use of push notifications. "They don't cost anything to the consumer or to you and you're not dealing with a telco," he said. "You'd have to go break the iCloud account if you want to take over my push notifications and if your security architecture is right, you can always send a message to your customer to say another device was added to your account. Whereas if I take over your SMS messages, you don't even know it."

All agreed the call center is an authentication weak spot. Call center service representatives are trained to give good service but not to be cybersleuths.

"All of these authentication methods have the same vulnerability, which is, how good are you at handling exceptions? What's the recovery process?" McAlum said. "Therein lies a lot of the softness of all these options.

"Call centers in financial institutions have been hit really hard with social engineering," he said. "If cybercriminals can call the call center and say, 'I don't have my phone with me, I forgot my password,' and eventually we give them enough questions that they call back again and again until they've collected that information, or they go into the treasure trove of the underground economy, they succeed. Unless you shut down call centers, you'll always have to deal with this social engineering challenge."

Training is part of the answer, he said. "You can't train a call center rep enough," he said. "You want to make it easy for them to identify a potentially suspicious caller." Number lookups are another defense mechanism. "There's technology says that call's not coming from New York City, it looks like it's coming from Nigeria," he said. "That becomes a risk variable that should be factored into your model."

Another technique is having call center reps send out-of-band push notifications to the customer's mobile device (in other words, through another channel besides the call the rep and customer are on – through an email, for example), pointed out Madhu, whose software does this.

The best type of authentication starts with meeting the customer in person, Eisen said. "You can't do it remotely and have [National Institute of Standards and Technology]-level security," he said. His company also binds the identity (typically documented with a driver's license) to a mobile device and a hardware token. "Not every use case demands that level of security," he acknowledged. "For most use cases, you have to consider the balance of convenience and security."

McAlum agreed the enrollment process matters. "That's the front door, and you've got to put a lot of effort into that one," he said. Because of its military clientele, USAA has extra resources it can draw on at enrollment, such as looking up potential members' military records.

In the end practicality as well as security is key to authentication, McAlum said. "There's the art of the possible, and then there's the science of the practical, everyday," he said. "There are things that are coming, things that we should do -- there's no bulletproof solution out there. There are highly sophisticated criminal adversaries that are going to focus on you as a person. At some point they'll figure it out."

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data security
MORE FROM AMERICAN BANKER