Blog posts by John Tolbert
Just when you thought we had enough variations of IAM, along comes FIAM. Fake digital identities are not new, but they are getting a lot of attention in the press these days. Some fake accounts are very sophisticated and are difficult for automated methods to recognize. Some are built using real photos and stolen identifiers, such as Social Security Numbers or driver’s license numbers. Many of these accounts look like they belong to real people, making it difficult for social media security analysts to flag them for investigation and remove them. With millions of user credentials, passwords, and other PII available on the dark web as a result of the hundreds of publicly acknowledged data breaches, it’s easy for bad actors to create new email addresses, digital identities, and social media profiles.
As we might guess, fake identities are commonly used for fraud and other types of cybercrime. There are many different types of fraudulent use cases, ranging from building impostor identities and attaching to legitimate user assets, to impersonating users to spread disinformation, and for defamation, extortion, catfishing, stalking, trolling, etc. Fake social media accounts were used by St. Petersburg-based Internet Research Agency to disseminate election-influencing propaganda. Individuals associated with these events have been indicted by the US, but won’t face extradition.
Are there legitimate uses for fake accounts? In many cases, social network sites and digital identity providers have policies and terms of service that prohibit the creation of fake accounts. In the US, violating websites’ terms of service also violates the 1984 Computer Fraud and Abuse Act. Technically then, in certain jurisdictions, creating and using fake accounts is illegal. It is hard to enforce, and sometimes gets in the way of legitimate activities, such as academic research.
However, it is well-known that law enforcement authorities routinely and extensively use fake digital identities to look for criminals. Police have great success with these methods, but also scoop up data on innocent online bystanders as well. National security and intelligence operatives also employ fake accounts to monitor the activities of individuals and groups they suspect might do something illegal and/or harmful. It’s unlikely that cops and spies have to worry much about being prosecuted for using fake accounts.
A common approach that was documented in the 1971 novel “The Day of the Jackal by Frederick Forsyth is to use the names and details of dead children. This creates a persona that is very difficult to identify as being a fraud. It is still reported as being in use and when discovered causes immense distress to the relatives.
In the private sector, employees of asset repossession companies also use fake accounts to get close to their targets to make it easier for them to repo their cars and other possessions. Wells Fargo has had an ongoing fake account creation scandal, where up to 3.5 million fake accounts were created so that the bank could charge customers more fees. The former case is sneaky and technically illegal, while the latter case is clearly illegal. What are the consequences, for Wells Fargo? They may have suffered a temporary stock price setback and credit downgrade, but their CEO got a raise.
FIAM may sound like a joke, but it is a real thing, complete with technical solutions (using above-board IDaaS and social networks), as well as laws and regulations sort of prohibiting the use of fake accounts. FIAM is at once a regular means of doing business, a means for spying, and an essential technique for executing fraud and other illegal activities. It is a growing concern for those who suffer loss, particularly in the financial sector. It is also now a serious threat to social networks, whose analysts must remove fake accounts as quickly as they pop up, lest they be used to promote disinformation.
At KuppingerCole, cybersecurity and identity management product/service analysis are two of our specialties. As one might assume, one of the main functional areas in vendor products we examine in the course of our research is administrative security. There are many components that make up admin security, but here I want to address weak authentication for management utilities.
Most on-premises and IaaS/PaaS/SaaS security and identity tools allow username and password for administrative authentication. Forget an admin password? Recover it with KBA (Knowledge-based authentication).
Many programs accept other stronger forms of authentication, and this should be the default. Here are some better alternatives:
- Web console protected by existing Web Access Management solution utilizing strong authentication methods
- SAML for SaaS
- Mobile apps (if keys are secured in Secure Enclave, Secure Element, and app runs as Trusted App in Trusted Execution Environment [TEE])
- FIDO UAF Mobile apps
- USB Tokens
- FIDO U2F devices
- Smart Cards
Even OATH TOTP and Mobile Push apps, while having some security issues, are still better than username/passwords.
Why? Let’s do some threat modeling.
Scenario #1: Suppose you’re an admin for Acme Corporation, and Acme just uses a SaaS CIAM solution to host consumer data. Your CIAM solution is collecting names, email addresses, physical addresses for shipping, purchase history, search history, etc. Your CIAM service is adding value by turning this consumer data into targeted marketing, yielding higher revenues. Until one day a competitor comes along, guesses your admin password, and steals all that business intelligence. Corporate espionage is real - the “Outsider Threat” still exists.
Scenario # 2: Same CIAM SaaS background as #1, but let’s say you have many EU customers. You’ve implemented a top-of-the-line CIAM solution to collect informed consent to comply with GDPR. If a hacker steals customer information and publishes it without user consent, will Acme be subject to GDPR fines? Can deploying username/password authentication be considered doing due diligence?
Scenario # 3: Acme uses a cloud-based management console for endpoint security. This SaaS platform doesn’t support 2FA, only username/password authentication. A malicious actor uses KBA to reset your admin password. Now he or she is able to turn off software updates, edit application whitelists, remove entries from URL blacklists, or uninstall/de-provision endpoint agents from your company’s machines. To cover their tracks, they edit the logs. This would make targeted attacks so much easier.
Upgrading to MFA or risk-adaptive authentication would decrease the likelihood of these attacks succeeding, though better authentication is not a panacea. There is more to cybersecurity than authentication. However, the problem lies in the fact that many security vendors allow password-based authentication to their management consoles. In some cases, it is not only the default but also the only method available. Products or services purporting to enhance security or manage identities should require strong authentication.
The EU’s General Data Protection Regulation (GDPR) will force many changes in technology and processes when it comes into effect in May 2018. We have heard extensively about how companies and other organizations will have to provide capabilities to:
- Collect explicit consent for the use of PII per purpose
- Allow users to revoke previously given consent
- Allow users to export their data
- Comply with users’ requests to delete the data you are storing about them
- Provide an audit trail of consent actions
Software vendors are preparing, particularly those providing solutions for IAM, CIAM, ERP, CRM, PoS, etc., by building in these features if not currently available. These are necessary precursors for GDPR compliance. However, end user organizations have other steps to take, and they should begin now.
GDPR mandates that, 72 hours after discovering a data breach, the responsible custodian, in many cases it will be the organization’s Data Protection Officer (DPO), must notify the Supervisory Authority (SA). If EU persons’ data is found to have been exfiltrated, those users should also be notified. Organizations must begin preparing now how to execute notifications: define responsible personnel, draft the notifications, and plan for remediation.
Consider some recent estimated notification intervals for major data breaches in the US:
- Equifax: 6 weeks to up to 4-5 months
- Deloitte: perhaps 6 months
- SEC: up to 1 year
- Yahoo: the latest revelations after the Verizon acquisition indicate up to 4 years for complete disclosure
The reasons data custodians need to be quick about breach notifications are very clear and very simple:
- The sooner victims are notified, the sooner they can begin to remediate risks. For example, Deloitte’s customers could have begun to assess which of their intellectual property assets were at risk and how to respond earlier.
- Other affected entities can begin to react. In the SEC case, the malefactors had plenty of time to misuse the information and manipulate stock prices and markets.
- Cleanup costs will be lower for the data custodian. Selling stocks after breaches are discovered but prior to notification may be illegal in many jurisdictions.
- It will be better for the data custodian’s reputation in the long run if they quickly disclose and fix the problems. The erosion of Yahoo’s share price prior to purchase is clear evidence here.
Understandably, executives can be reticent in these matters. But delays give the impression of apathy, incompetence, and even malicious intent on the part of executives by attempting to hide or cover up such events. Though GDPR is an EU regulation, it directly applies to other companies and organizations who host data on EU member nations’ citizens. Even for those organizations not subject to GDPR, fast notification of data breaches is highly recommended.
This past weekend we learned that Gigya will be acquired by SAP Hybris. California-based Gigya has been a top vendor in our CIAM Platforms Leadership Compass reports. Gigya offers a pure SaaS CIAM solution, and has one of the largest customer bases in the market. SAP’s Identity solution was previously positioned more as an IDaaS for SAP customers for SAP use cases.
What is most interesting is the pairing of Gigya with SAP Hybris. Hybris is SAP’s marketing tools, analytics, and automation suite. It already has a considerable customer base and big feature set. Gigya is also very strong in this area, with specialties for leveraging consumer data for personalization and more accurate targeted marketing.
This Gigya – SAP transaction is the latest in an active year of CIAM startups, funding rounds, buyouts, and even an IPO. CIAM is the fastest growing section of the Identity market, and all aforementioned activity is evidence that this trend is being recognized and rewarded by investors.
CIAM is an essential component in contemporary business architectures. Consider the following:
- EU GDPR – CIAM solutions collect and retain user consent for compliance
- EU PSD2 – CIAM solutions are significant competitive advantages for banks and financial services providers that implement them; CIAM can also offer strong customer authentication options
- Retail – consumers will shop elsewhere if the user experience is cumbersome
- Digital transformation – IoT and SmartHome gadgets are best managed via consumer identities with strong consumer security and privacy protections
Traditional IAM is also capturing a larger portion of most organizations’ budgets, as the C-Suite begins to understand the importance of cybersecurity and the pivotal function of digital identity within cybersecurity strategies. The lines between IDaaS and CIAM have begun to blur. Traditional IAM vendors have been modifying and rebranding their solutions to meet the changing needs of consumer identity. Some CIAM vendors are offering their services as IDaaS. If SAP chooses to leverage the full CIAM feature set that Gigya has, rather than just integrating the marketing analytics and automation capabilities with Hybris, it will broaden SAP’s reach in the CIAM and IDaaS space.
KuppingerCole will continue to monitor and research the dynamic CIAM market. If CIAM is a trending topic for you, join us at our Consumer Identity World events, in Paris (November 28-29) and Singapore (December 13-14)
Last week we completed the opening dates on the Consumer Identity World Tour in Seattle. To kick off the event, the Kantara Initiative held a one-day workshop to showcase the work that they do. Kantara is an international standards organization which develops technical specifications promoting User Managed Access, Consent Receipt, Identities of Things, and Identity Relationship Management. Kantara is also a Trust Framework Provider, approved by the US Federal Government´s Identity and Access Management (ICAM), which accredits Assessors and Approve CSPs at Levels 1, 2 & non-PKI Level 3. Kantara will be joining us on our subsequent CIW tour dates.
The CIW conference is all about consumer and customer identities. It is the only conference to focus specifically on the use cases, requirements, and technical solutions in the Consumer Identity and Access Management (CIAM) space. Keynotes were delivered by distinguished guests and our sponsors, including:
- Christian Goy – Behavioral Science Lab
- Ryan Fox – Capital One
- Tim Maiorino – Osborne Clark
- Jason Keenaghan – IBM
- Katryna Dow – Meeco
- Colin Wallis – Kantara
- Phil Lam – Lam Advisory
- Jason Rose – Gigya
- Steve Tout - VeriClouds
- Heather Flanagan – DIACC
- Allan Foster – ForgeRock
With a looming May 2018 implementation date, the EU General Data Protection Regulation (GDPR) was a subject that bubbled up in many sessions. Though it will be a regulation in the EU, it applies to any company or organization that does business with or processes data of EU citizens, including enterprises here in the US. Thus, privacy and consent for use of PII were important conversations: Denise Tayloe of Privo and Lisa Hayes from the Center for Democracy and Technology discussed family management and building-in privacy in their sessions. John Anderson of Facebook, the world’s largest social identity provider, presented on consumer authentication trends.
Many organizations deploy CIAM solutions to gain insights into consumer behavior to create more effective marketing campaigns and increase revenue. Lars Helgeson of Greenrope went into detail on the intersection of CRM, CIAM, and Marketing Automation. The MarTech panel continued the conversation on marketing in CIAM.
On both days, we had many expert panels covering a range of topics within CIAM. One of the things that distinguishes KuppingerCole conferences from others is our use of panel discussions. This format allows conference attendees to hear multiple viewpoints on a subject within a short time, and engages the audience more directly. Delegates and panelists interacted on topics such as:
- Next Generation Authentication for Health Care
- Moving Beyond Passwords
- CJAM Strategies
- The Business Value of Consumer Identity
- Informed Consent
- Security and Privacy
- Mobile Biometrics
- User Experience
- CIAM Case Studies
- Economics of GDPR
- The Risks of Compromised Credentials
- Marketing Technology
Christian Goy, Co-founder & Managing Director of Behavioral Science Lab said about CIW Seattle, "Consumer Identity World Tour is one of those rare events that truly inspires forward thinking in the consumer identity management, privacy and security space. Stirred by thought leaders in the industry, this must-attend event provides invaluable discussions and learning experiences for everyone present."
Katryna Dow, CEO & Founder of Meeco added, “The European regulatory changes are driving major shifts in CIAM, privacy, and consent. These changes represent challenges for global enterprises, including those headquartered in the USA. Enterprises are faced with the choice to either focus on compliance or harness these changes to drive digital transformation and trust based personalization. KuppingerCole is uniquely positioned to bring deep knowledge of the European market to provide strategic insight in North America. Great to see the Consumer Identity World tour kicked off here in Seattle, I hope it will be the first of many USA events”.
Finally, we’d like to thank our platinum sponsors ForgeRock, Gigya, IBM, and VeriClouds; association sponsors Global Platform, Kantara, and Open Identity Exchange; and component sponsors PlainID, Ping Identity, Saviynt, Axiomatics, CloudEntity, Deloitte, and Login Radius.
Authorization is one of the key concepts and processes involved in security, both in the real world as well as the digital world. Many formulations of the definition for authorization exist, and some are context dependent. For IT security purposes, we’ll say authorization is the act of evaluating whether a person, process, or device is allowed to operate on or possess a specific resource, such as data, a program, a computing device, or a cyberphysical object (e.g., a door, a gate, etc.).
The concept of authorization has evolved considerably over the last two decades. No longer must users be directly assigned entitlements to particular resources. Security administrators can provision groups of users or select attributes of users (e.g. employee, contractor of XYZ Corp, etc.) as determinants for access.
For some of the most advanced authorization and access control needs, the OASIS eXtensible Access Control Markup Language (XACML) standard can be utilized. Created in the mid-2000s, XACML is an example of an Attribute-Based Access Control (ABAC) methodology. XACML is an XML policy language, reference architecture, and request/response protocol. ABAC systems allow administrators to combine specific subject, resource, environmental, and action attributes for access control evaluation. XACML solutions facilitate run-time processing of dynamic and complex authorization scenarios. XACML can be somewhat difficult to deploy, given the complexity of some architectural components and the policy language. Within the last few years, JSON and REST profiles of XACML have been created to make it easier to integrate into modern line-of-business applications.
Just prior to the development of XACML, OASIS debuted Security Assertion Markup Language (SAML). Numerous profiles of SAML exist, but the most common usage is for identity federation. SAML assertions serve as proof of authentication at the domain of origin, which can be trusted by other domains. SAML can also facilitate authorization, in that, other attributes about the subject can be added to the signed assertion. SAML is widely used for federated authentication and limited authorization purposes.
OAuth 2.0 is a lighter weight IETF standard. It takes the access token approach, passing tokens on behalf of authenticated and authorized users, processes, and now even devices. OAuth 2.0 now serves as a framework upon which additional standard are defined, such as Open ID Connect (OIDC) and User Managed Access (UMA). OAuth has become a widely used standard across the web. For example, “social logins”, i.e. using a social network provider for authentication, generally pass OAuth tokens between authorization servers and relying party sites to authorize the subject user. OAuth is a simpler alternative to XACML and SAML, but also is usually considered less secure.
From an identity management perspective, authentication has received the lion’s share of attention over the last several years. The reasons for this are two-fold:
- the weakness of username/password authentication, which has led to many costly data breaches
- proliferation of new authenticators, including 2-factor (2FA), multi-factor (MFA), risk-adaptive techniques, and mobile biometrics
However, in 2017 we have noticed an uptick in industry interest in dynamic authorization technologies that can help meet complicated business and regulatory requirements. As authentication technologies improve and become more commonplace, we predict that more organizations with fine-grained access control needs will begin to look at dedicated authorization solutions. For an in-depth look at dynamic authorization, including guidelines and best practices for the different approaches, see the Advisory Note: Unifying RBAC and ABAC in a Dynamic Authorization Framework.
Organizations that operate in strictly regulated environments find that both MFA / risk adaptive authentication and dynamic authorization are necessary to achieve compliance. Regulations often mandate 2FA / MFA, e.g. US HSPD-12, NIST 800-63-3, EU PSD2, etc. Regulations occasionally stipulate certain that access subject or business conditions, expressed as attributes, be met as a precursor to granting permission. For example, in export regulations these attributes are commonly access subject nationality or licensed company.
Authorization becomes extremely important at the API level. Consider PSD2: it will require banks and other financial institutions to expose APIs for 3rd party financial processors to utilize. These APIs will have tiered and firewalled access into core banking functions. Banks will of course require authentication from trusted 3rd party financial processors. Moreover, banks will no doubt enforce granular authorization on the use of each API call, per API consumer, and per account. The stakes are high with PSD2, as banks will need to compete more efficiently and protect themselves from a much greater risk of fraud.
For more information on authentication and authorization technologies, as well as guidance on preparing for PSD2, please visit the Focus Areas section of our website.
The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years. Both emanate from the European Commission, and both are aimed at consumer protection.
GDPR will bolster personal privacy for EU residents in a number of ways. The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses. GDPR will require that data processors obtain clear, unambiguous consent from each user for each use of user data. In the case of PSD2, this means banks and Third-Party Providers (TPPs). TPPs comprise Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). For more information, please see https://www.kuppingercole.com/report/lb72612.
Screen scraping has been in practice for many years, though it is widely known that this method is inherently insecure. In this context, screen scraping is used by TPPs to get access to customer data. Some FinTechs harvest usernames, email addresses, passwords, and account numbers to act on behalf of the users when interacting with banks and other FinTechs. This technique exposes users to additional risks, in that, their credentials are more likely to be misused and/or stored in more locations.
PSD2 will mandate the implementation of APIs by banks, for a more regular and safer way for TPPs to get account information and initiate payments. This is a significant step forward in scalability and security. However, the PSD2 Regulatory Technical Standards (RTS) published earlier this year left a screen scraping loophole for financial organizations who have not yet modernized their computing infrastructure to allow more secure access via APIs. The European Banking Authority (EBA) now rejects the presence of this insecure loophole: https://www.finextra.com/newsarticle/30772/eba-rejects-commission-amendments-on-screen-scraping-under-psd2.
KuppingerCole believes that the persistence of the screen scraping exception is bad for security, and therefore ultimately bad for business. The proliferation of TPPs expected after PSD2 along with the attention drawn to this glaring weakness almost ensures that it will be exploited, and perhaps frequently.
Furthermore, screen scraping implies that customer PII is being collected and used by TPPs. This insecure practice, then, by definition goes against the spirit of consumer protection embodied in GDPR and PSD2. Furthermore, GDPR calls for the principle of Security by Design, and a screen scraping exemption would contravene that. TPPs can obtain consent for the use of consumer PII, or have it covered contractually, but such a workaround is unnecessary if TPPs utilize PSD2 open banking APIs. An exemption in a directive should not lead to potential violations of a regulation.
Digital Transformation is driving a diverse set of business initiatives today, including advanced marketing techniques, creating new consumer services, acquiring better customer information, and even deploying new identity management solutions. As organizations discover new and efficient methods for engaging customers, they often realize new and more profitable revenue streams.
At the intersection of identity and marketing, we find Consumer Identity and Access Management (CIAM) systems. CIAM is a relatively new but fast-growing area within the overall IAM market. As the name implies, Consumer IAM focuses on the consumer. This means that CIAM solutions feature:
- Self-registration, with options to use social network credentials
- Progressive profiling: collecting information from customers over a period of time through various interactions, rather than asking for a lot of information up front
- White-labeling for seamless branding
- Flexible authentication: username, mobile devices, social logins, and often 2FA or MFA methods
- Consent management: easy-to-use and understand opt-ins for data collection
- Identity and marketing analytics: data about consumers and their activities that can be transformed into business intelligence.
Many CIAM solutions were designed from the ground up to make the customer experience more pleasant. Other CIAM solutions have evolved from the traditional IAM systems we’ve used in businesses and governments for decades. Most CIAM solutions can be run from the cloud, either as a turn-key SaaS or as a solution your teams can administer inside IaaS.
The data generated from CIAM systems is inherently useful for marketing. There are two very different approaches for harvesting and using CIAM data: native tools or exporting to third-party programs.
The most feature-rich CIAM solutions build in identity and analytics capabilities into their platforms. Examples of reports that are possible in these types of solutions include:
- demographics such as gender, age, location, nationality;
- segmentation analysis such as generation, age range, income bracket;
- events including logins, registrations, social providers used;
- “likes” such as favorite TV shows, sports teams, books, music;
- social engagement including top commenters and time spent on site.
Most CIAM vendors permit programmatic access via REST APIs to integrate with a wide range of 3rd party market analysis tools as well, e.g. Google Analytics and Tableau. For enterprise or organizational customers, the data is there, but the choice for how to obtain it and analyze it depend on your organizational capabilities and preferences.
Much of this information produced by CIAM systems can be beneficial; however, with the EU General Data Protection Regulation (GDPR) on the horizon, the ability to collect informed consent from consumers about the use of their data becomes paramount. Among the many provisions of GDPR, the regulation will require that organizations that collect information about users to obtain clear and unambiguous assent for per-purpose processing. Fortunately, many CIAM vendors have proactively designed their user interfaces to facilitate GDPR compliance to some degree. In addition to collecting consent and allowing users to change their preferences, data processors will also need to be able to log consent, export or delete user data upon request, and notify users when terms change or when data breaches happen.
In conclusion, well-constructed and configured CIAM solutions can help customers acquire valuable information on their consumers, that, in concert with advanced techniques such as marketing automation, can lead to higher revenues and better consumer satisfaction. Information gleaned at the intersection of identity and marketing is subject to privacy and other regulations, and as such, needs to be protected appropriately.
Ransomware attacks have increased in popularity, and many outlets predict that it will be a $1 billion-dollar business this year. Ransomware is a form of malware that either locks users’ screens or encrypts users’ data, demanding that ransom be paid for the return of control or for decryption keys. Needless to say, but paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem.
Ransomware is not just a home user problem, in fact many businesses and government agencies have been hit. Healthcare facilities have been victims. Even police departments have been attacked and lost valuable data. As one might expect, protecting against ransomware has become a top priority for CIOs and CISOs in both the public and private sectors.
Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention. However, in the case of ransomware, detection is pretty easy because the malware announces its presence as soon as it has compromised a device. That leaves the user to deal with the aftermath. Once infected, the choices are to:
- pay the ransom and hope that malefactors return control or send decryption keys (not recommended, and it doesn’t always work that way)
- wipe the machine and restore data from backup
Restoration is sometimes problematic if users or organizations haven’t been keeping up with backups. Even if backups are readily available, time will be lost in cleaning up the compromised computer and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.
Most ransomware attacks arrive as weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.
Most endpoint security products have anti-malware capabilities, and many of these can detect and block ransomware payloads before they execute. All end-user computers should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, though there are increasing amounts of ransomware for Android. It is important to remember that Apple’s iOS and Mac devices are not immune from ransomware, or malware in general.
If you or your organization do not have anti-malware packages installed, there are some no-cost anti-ransomware specialty products available. They do not appear to be limited-time trial versions, but are instead fully functional. Always check with your organization’s IT management staff and procedures before downloading and installing software. All the products below are designed for Windows desktops:
The links, in alphabetical order by company name, are provided as resources for consideration for the readers rather than recommendations.
Ransomware hygiene encompasses the following short-list of best practices:
- Perform data backups
- Disable Office macros by default if feasible
- Deliver user training to avoid phishing schemes
- Use anti-malware
- Develop breach response procedures
- Don’t pay ransom
The European Banking Authority released the final draft of the Regulatory Technical Specifications for PSD2 this week. It contains several improvements and clarifications, but there are still a few areas that fall short of industry expectations.
After the release of the initial drafts, EBA received a multitude of comments and discussion from many organizations and software vendors. One of the top concerns was on the mandate for Strong Customer Authentication (SCA), which was defined traditionally as something you have, something you know, or something you are. Originally it was conceived to apply to any transaction over €10. The limit has been raised to €30, which is better, but still less than the recommended €50.
The revision also takes into account the innovations and benefits of risk-adaptive authentication. Risk-adaptive authentication encompasses several functions, including user behavioral analytics (UBA), two- or multi-factor authentication (2FA or MFA), and policy evaluation. Risk-adaptive authentication platforms evaluate a configurable set of real-time risk factors against pre-defined policies to determine a variety of outcomes. The policy evaluation can yield permit, deny, or “step-up authentication” required.
PSD2 RTS stipulates that banks (Account Servicing Payment Service Providers, or ASPSPs) must consider the following transactional fraud risk detection elements on a per-transaction basis:
- lists of compromised or stolen authentication elements;
- the amount of each payment transaction;
- known fraud scenarios in the provision of payment services;
- signs of malware infection in any sessions of the authentication procedure
Items 1-3 are commonly examined in many banking transactions today. The prescription to look for signs of malware infection is somewhat vague and difficult to achieve technically. Is the bank responsible for knowing the endpoint security posture of all of its clients? If so, is it responsible also for helping remediate malware on clients?
Furthermore, in promoting “continuous authentication” via risk-adaptive authentication, EBA states:
- the previous spending patterns of the individual payment service user;
- the payment transaction history of each of the payment service provider’s payment service user;
- the location of the payer and of the payee at the time of the payment transaction providing the access device or the software is provided by the payment service provider;
- the abnormal behavioural payment patterns of the payment service user in relation to the payment transaction history;
- in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.
The requirements described above, from the PSD2 RTS document, are very much a “light” version of risk-adaptive authentication and UBA. These attributes are useful in predicting the authenticity of the current user of the services. However, there are additional attributes that many risk-adaptive authentication vendors commonly evaluate that would add value to the notion and practice of fraud risk reduction. For example:
- IP address
- Time of day/week
- Device ID
- Device fingerprint
- Known compromised IP/network check
- User attributes
- User on new device check
- Jailbroken mobile device check
Now that limited risk analytics are included in the PSD2 paradigm, the requirement for SCA is reduced to at least once per 90 days. This, too, is in line with the way most modern risk-adaptive authentication systems work.
The PSD2 RTS leaves in place “screen-scraping” for an additional 18 months, a known bad practice that current Third Party Providers (TPPs) use to extract usernames and passwords from HTML forms. This practice is not only subject to Man-in-the-Middle (MITM) attacks, but also perpetuates the use of low assurance username/password authentication. Given that cyber criminals now know that they only have a limited amount of time to exploit this weak mechanism, look for an increase in attacks on TPPs and banks using screen-scraping methods.
In summary, the final draft of PSD2 RTS does make some security improvements, but omits recommending practices that would more significantly and positively affect security in the payments industry, while leaving in place the screen-scraping vulnerability for a while longer.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]