Abrar Siddiqui, Vice President of Engineering at Callsign discusses user identity protection
Users have become increasingly frustrated with passwords, they are difficult to remember and we find that we often have to reset them just to transact with organisations. So much so, that 73% of consumers are wondering why they continue to interact with a business when authenticating online is so difficult.
A lot of this frustration stems from traditional authentication methods where a pin code is sent to the user via SMS to complete the sign-in process. SMS channels were not designed for authentication purposes and are easily compromised. Analog methods such as passwords were not designed for the digital world, and simply digitising an authentication method creates an inherently flawed authenticator. SMS codes also create unnecessary friction and along with a password doesn’t prove that the person is the authorised individual they claim to be. Fraudsters using stolen credentials looks like the genuine user.
Fraudsters are familiar with all these flaws, and without the proper controls in place, they may be just a click away from stealing from an unwitting individual. The UAE has long been attractive for hackers due to the country’s perceived wealth. Around 83% of the UAE companies are seeing an increase in cybercrime attacks through phishing, email spam, malware, etc.
However, companies can take steps to protect their business and their customers from fraudsters. To do so, they need to ask themselves and answer a series of questions when looking at the authentication process to make sure that they know who they are interacting with beyond doubt.
Is the session secure?
This is the first question security leaders should ask themselves, even before looking into a user’s identity. There are instances where scammers use man-in-the-middle attacks to gather information from unsuspecting users through an unsecured website.
By tracking unusual traffic, businesses can detect compromised sessions and secure a user’s digital identity before it’s too late.
Are you engaging with a real human?
Once a session is secure, companies must ask “am I engaging with a real human?” to ensure the user is not a bot.
When someone hears “bot” it’s rarely associated with something good. In the past, bots have made headlines by altering consumers’ perception of the media and even competing with humans. Currently, bot use accounts for 64% of Internet traffic, 39% of which is made up of malicious bots that read information and perform malicious activities.
These bad bots may be engineered to conduct a reverse brute force attack that utilizes stolen information from a data breach, and forces millions of login and password combinations into the system until a match is found. Instead of relying on a CAPTCHA to confirm whether users are human, companies can use behavioural biometrics to passively determine if someone’s physical interactions with a device align with human characteristics.
To read more exclusive features and latest news please see our March issue here.
Media contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com