Identity fraud is the major security concern for most of the organizations doing Internet businesses today. It has an influence on the cost of doing business, increasing customer anxiety and thereby inviting government regulation. The best way to prevent identity fraud would be to adopt a layered approach to security. Fraud detection would be a critical security layer, which would include Risk-based Authentication as a mechanism for fraud detection.
Image via zuniaRisk-based authentication is a technique that uses both contextual and historical user information, along with data supplied during Internet transaction, to assess the probability of whether a user interaction is authentic or not. Let us see what contextual and historical user information mean. The contextual information typically includes the traditional username and password in addition to the following information like who the user is, from where they are logging in (IP addresses, location information - city the user is actually in at the time of communication), what kind of device they are using. Historical user data includes specific attributes provided from the session as well as user behavior and transaction patterns. This information represents an additional authentication factor that supplements the username and password, making this an enticing multifactor authentication technique.
The risk-based authentication model is built on a rule engine that takes into account multiple combination of parameters such as IP address, location etc. as described above. This data can be used to create a pattern to compare with those in future authorization attempts. The rule engine checks each transaction to see if it matches any pre-determined pattern for fraudulent transactions. Since online fraud patterns evolve rapidly, the rule engine must deploy automatic pattern recognition and self-learning capabilities, in order to quickly find new patterns to prevent fraud. A machine learning, anomaly-detection system can also be used to address the shortcomings of rule-based systems.
In risk-based authentication, much of the contextual data is susceptible to fraud. Although it is difficult to replicate the contextual data, a fraudster could try and spoof with the intention of fooling the authentication system in which case the fraudster would have to know all the specific attributes that the authentication algorithms and then painstakingly replicate the attributes. Fortunately, the difficulties in exploiting this, along with the availability of historical data that cannot be spoofed, make risk-based authentication more effective.
Risk-based authentication enables Internet businesses to assess security risks and use out-of-band challenge and response mechanism as a second factor authentication only when necessary. Risk-based authentication works behind-the-scenes and has a minimal impact on users. Risk-based authentication can occur at initial log in and may also be performed at subsequent interactions during secure sessions as well as during high-risk transactions.
Risk-based authentication allows selecting the right level of security for each activity, instead of using comprehensive security for the entire user base. This type of authentication gives businesses the flexibility to be able to provide additional authentication as and when necessary. The main benefit of this type of authentication is that additional hardware or software is not required, making this non-intrusive and seamless to the end user. In addition, risk-based authentication is far less expensive to deploy and administer. It is also one of the few solutions that successfully identify man-in-the-middle attacks.
Risk-based authentication like any other authentication solution is not fully foolproof. There are few challenges like false positives & accuracy of risk prediction that risk-based authentication must address in order to be more effective. False positives are a major challenge that risk-based authentication needs to overcome. There are false positives with any given technology, but there are also ways to minimize these issues by applying best practices and fine-tuning the authentication process.
The bottom line is that risk-based authentication works behind-the-scenes to spot the high-risk transactions, and apply the right level of security for the specific level of risk. It allows the organizations to manage online risk in a better fashion. It helps to decide what risk the business is willing to take, and what risk it isn't willing to take, for every online activity. Since most users are not challenged, it provides a good balance between security and usability and hence maximum usability for the majority of users, and a little more effort for a small amount of users.
The risk-based authentication model is built on a rule engine that takes into account multiple combination of parameters such as IP address, location etc. as described above. This data can be used to create a pattern to compare with those in future authorization attempts. The rule engine checks each transaction to see if it matches any pre-determined pattern for fraudulent transactions. Since online fraud patterns evolve rapidly, the rule engine must deploy automatic pattern recognition and self-learning capabilities, in order to quickly find new patterns to prevent fraud. A machine learning, anomaly-detection system can also be used to address the shortcomings of rule-based systems.
In risk-based authentication, much of the contextual data is susceptible to fraud. Although it is difficult to replicate the contextual data, a fraudster could try and spoof with the intention of fooling the authentication system in which case the fraudster would have to know all the specific attributes that the authentication algorithms and then painstakingly replicate the attributes. Fortunately, the difficulties in exploiting this, along with the availability of historical data that cannot be spoofed, make risk-based authentication more effective.
Risk-based authentication enables Internet businesses to assess security risks and use out-of-band challenge and response mechanism as a second factor authentication only when necessary. Risk-based authentication works behind-the-scenes and has a minimal impact on users. Risk-based authentication can occur at initial log in and may also be performed at subsequent interactions during secure sessions as well as during high-risk transactions.
Risk-based authentication allows selecting the right level of security for each activity, instead of using comprehensive security for the entire user base. This type of authentication gives businesses the flexibility to be able to provide additional authentication as and when necessary. The main benefit of this type of authentication is that additional hardware or software is not required, making this non-intrusive and seamless to the end user. In addition, risk-based authentication is far less expensive to deploy and administer. It is also one of the few solutions that successfully identify man-in-the-middle attacks.
Risk-based authentication like any other authentication solution is not fully foolproof. There are few challenges like false positives & accuracy of risk prediction that risk-based authentication must address in order to be more effective. False positives are a major challenge that risk-based authentication needs to overcome. There are false positives with any given technology, but there are also ways to minimize these issues by applying best practices and fine-tuning the authentication process.
The bottom line is that risk-based authentication works behind-the-scenes to spot the high-risk transactions, and apply the right level of security for the specific level of risk. It allows the organizations to manage online risk in a better fashion. It helps to decide what risk the business is willing to take, and what risk it isn't willing to take, for every online activity. Since most users are not challenged, it provides a good balance between security and usability and hence maximum usability for the majority of users, and a little more effort for a small amount of users.
No comments:
Post a Comment