Follow us on
Connect
Advertisement
 

The Password is …

Merchants need new authentication tactics to protect themselves from an epidemic of data breaches

April 2014 By Andreas Baumhof
Get the Flash Player to see this rotator.
 

Recent data breaches, including those of Target, Neiman Marcus, Adobe, LivingSocial and SnapChat, indicate that merely evaluating passwords isn't an effective way to protect the systems that guard online customer account information. These are high-profile examples, but in reality nearly all online merchants are experiencing an onslaught of attacks as criminals attempt to break into their systems and steal credit card and other sensitive data. Even relatively small retailers are being assaulted. For many of these businesses, unless they adopt new authentication tactics and implement better controls, it's just a matter of time until they too become a statistic.

Studies have repeatedly shown that the most damaging and expensive cyber attacks all have one thing in common: hackers defeat the system's authentication system. Today's sophisticated cybercriminals employ numerous strategies to crack, discover or steal passwords and/or login credentials. Countless victims fall prey to spear phishing and pharming attacks, as devious and cunning thieves are very good at secretly deploying malicious software that's capable of capturing IDs and passwords.

Although it's uncertain what percentage of malware can actually capture login credentials, most malicious programs are designed to do exactly that. With 30 percent to 50 percent of PCs known to be infected, every online business needs to take heed. Mobile devices aren't immune to malware either. Juniper Network's Third Annual Mobile Threats Report revealed that mobile malware grew by more than 600 percent during the previous 12 months.

Phishing and malware aren't the only ways credentials are obtained, however. Employees frequently share their passwords with unauthorized individuals, and weak passwords that are easily cracked or guessed are still commonly used. In spite of the emphasis placed on using strong passwords, it's estimated that over 30 percent of all passwords are very weak and easily compromised. Even stronger passwords don't necessarily equate to a safe harbor. Numerous reports released this past year have shown that most strong passwords can also be cracked by skilled cybercriminals. Research from Deloitte revealed that with the right tools and access, 90 percent of user-generated passwords can be discovered or cracked in a matter of seconds, including passwords once thought to be strong — e.g., those with at least eight characters, using both upper and lower case letters, containing at least one symbol and having at least one number.

The problem is magnified by the fact that users tend to have the same password for many different accounts. Multiple studies show that upwards of 50 percent of individuals use the same password for all or most of their login accounts, including work, online merchant accounts, banking applications and social networking sites. This is dangerous for a number of reasons. Crime rings, for example, use social networking and other sites with relatively weak security to crack passwords. Sites without velocity checks to detect automated scripts or botnets are repeatedly exploited until valid credentials are discovered. Once passwords are ascertained on these weaker sites, the credentials can be used to gain access to numerous other sites.

Armed with cracked, guessed or stolen login credentials, cybercriminals enter the front door so to speak. Using normal login procedures, hackers directly access user and even privileged system accounts to register fake accounts, make fraudulent purchases, steal credit or debit card data, download intellectual property and disrupt information systems.

Context-Based Authentication
The vast majority of authentication systems break because of one reason: they focus entirely on evaluating login credentials, usually passwords, and completely fail to detect or even look for imposters who have stolen but valid credentials.

It's clear that a new approach is needed — one that adds authentication layers to increase trust when necessary, but doesn't impact the experience of legitimate users. And, most importantly, the solution needs to look at the entire picture, not just login credentials.

Fortunately, with the advent of context-based authentication, the entire set of circumstances that surround a login attempt can be evaluated. There are numerous indicators and techniques now available that detect with a high degree of accuracy when an imposter is attempting to gain access, even if he or she has valid credentials. Imposters are challenged and denied access, and legitimate users are allowed to connect without friction.

Merchants can protect themselves from cybercriminals by implementing context-based authentication, which provides a number of advanced capabilities and benefits, including the following:

  • Sophisticated processes profile the user's device to identify the specific PC, laptop, tablet or phone, and to detect the presence of malware or other threats. IP address, geolocation, language or other configuration mismatches, cookies, and numerous additional risk factors are evaluated.
  • Shared global trust intelligence networks to examine a user's identity and activity, recognizing both legitimate users and threats based on anonymous shared intelligence. Multiple contextual elements all work together to establish trusted and untrusted attempts by users to log in, including device health, history and associations with fraud, user persona and behavior, and trust associations.
  • A trust-based approach that's capable of "tagging" identifying elements such as the combination of a specific user and device with levels of trust or untrust. This provides you with advanced security features and a frictionless experience for legitimate users. 
  • Elevate trust when necessary by implementing two-factor or out-of-band authentication.

In light of the countless recent high-profile data breaches — and more certain to come — businesses must be more cautious than ever and implement effective authentication procedures that do more than just evaluate login credentials. The entire context surrounding each login attempt must be analyzed to detect and stop imposters, even if they have valid credentials.

Andreas Baumhof is the chief technology officer at ThreatMetrix, a provider of integrated cybercrime prevention solutions. Andreas can be reached at abaumhof@threatmetrix.com


 

Companies Mentioned:

COMMENTS

Click here to leave a comment...
Comment *
Most Recent Comments:

SPONSORED CONTENT

MORE ON E-COMMERCE >>

FROM THE BOOKSTORE

PDF FORMAT

<i>"Despite news to the contrary — especially from the social media space — reports of the death of email are greatly exaggerated. In fact, as your inboxes most likely show, email is growing and becoming even more sophisticated."</i> -- from <i>The Ultimate Guide to Email Marketing</i> 

It's true. Email marketing is still going strong, and continues to be one of the most important factors in any marketing campaign. 

From the first six months of 2010 to the first six months of 2011 alone, there was a nearly 21 percent increase in email volume! The average number of emails received per day in the first six months of 2010 was 472, and during the first six months of 2011, the daily average increased to 571. Marketers are having success with their email campaigns and using it more and more.

That being the case, your email marketing campaign needs all the attention it can get, and knowing what works and what doesn't is the best way to start. That's where "The Ultimate Guide to Email Marketing" comes in. 

The Guide is brought to you by the email marketing experts at DMIQ and their extensive research into one of the largest email campaign archives in the industry. On top of latest trends, it features 19 best practice chapters from today's email marketing thought leaders. You will learn how to create a relevant email program to nurture leads and drive sales, how to best use call-to-action visuals in your emails, and how to use social email to improve marketing effectiveness.

You’ll also learn:

•	Email Marketing Trends in 2011
•	Best Practices in Writing Subject Lines
•	The Strategy (and Tricks) for Improving Open Rate and Response
•	6 Tests to Improve Email Program Results
•	5 Best Practices for the Gangbusting Email Campaign
•	Best Practices for Improving Email Performance
•	6 Ways to Make Your Emails Mobile-Ready
•	Email Branding — The 16 Most Effective Strategies
•	11 Best Creative Practices for B-to-B Email Marketing
•	The Keys to Developing a Successful E-newsletter
•	How to Determine Your Customers’ Email Content Tolerance
•	How Email Marketers Can Optimize the Social Media Opportunity
•	…Just to name a few!

This comprehensive report also offers three in-depth case studies, so you can see practical examples of how these methods worked for real-life businesses. "The Ultimate Guide to Email Marketing" is an essential tool for any business that ever sends an email. 

<b><u>100% Money-Back Guarantee</b></u>

Your order is risk-free. If you are not completely delighted with “The Ultimate Guide to Email Marketing,” notify us within 30 days for a complete credit or refund, no questions asked.

<u>About DirectMarketingIQ</u>
The Research Division of the Target Marketing Group, DirectMarketingIQ (www.directmarketingiq.com) is the go-to resource for direct marketers. Publishing books, special reports, case study stockpiles and how-to guides, it opens up a new world for those who seek more information, more ideas and more success stories in order to boost their own marketing efforts. DirectMarketingIQ has unparalleled access to direct marketing data - including the world's most complete library of direct mail as well as a growing library of promotional emails across hundreds of categories - and proudly produces content from the most experienced editors and practitioners in the industry.

Note: You must have Adobe Acrobat Reader in order to read The Ultimate Guide to Email Marketing, which is in PDF format. The Ultimate Guide to Email Marketing

PDF FORMAT "Despite news to the contrary — especially from the social media space — reports of the death of email are greatly exaggerated. In fact, as your inboxes most likely show, email is growing and becoming even more sophisticated." -- from The Ultimate Guide to Email Marketing It's true....

ORDER NOW

(PDF Download)

Direct mail, email, mobile, social media, video, search ... the marketing landscape can either be a minefield where mistakes can kill campaigns, or a perfectly integrated mix of channels that maximizes the reach of the message and gives a nonprofit the best chance to capture more donor dollars.  

<b>In <i>"The Art & Science of Multichannel Fundraising" </i> from DirectMarketingIQ, the roadmap to that "perfectly integrated mix" is thoroughly laid out in over 130 pages -- <u>it's specifically created (and priced) for nonprofits</u>. </b>
  
First, 9 chapters from leading fundraisers give you the latest best practices in multichannel fundraising, including how to:  

• Choose the right channels for your campaign 
• Develop creative that works across multiple channels 
• Revitalize the direct mail component of your multichannel mix 
• Make sure email plays its increasingly important role perfectly 
• Seamlessly integrate mobile marketing into the fundraising campaign 
• Boost your online strategy with social media 
• Create a multichannel donor renewal campaign 
• Figure out that you're doing right — via testing and results measurement 
• Use all the pieces of the multichannel puzzle  

Second, in 8 robust case studies, find out the secrets behind multichannel fundraising campaigns that worked.

About DirectMarketingIQ
The Research Division of the Target Marketing Group, DirectMarketingIQ (www.directmarketingiq.com) is the marketers’ go-to resource. Publishing books, special reports, case studies and how-to-guides, it opens up a new world to those who seek more information, more ideas and more success stories in order to boost their own marketing efforts. DirectMarketingIQ has unparalleled access to direct marketing data – including the world’s most complete library of direct mail as well as a massive library of promotional emails across hundreds of categories – and producly produces content from the most experienced editors and practitioners in the industry.

<b>Note: You must have Adobe Acrobat Reader in order to read , The Art & Science of Multichannel Fundraising which is in PDF format.</b> The Art & Science of Multichannel Fundraising

(PDF Download) Direct mail, email, mobile, social media, video, search ... the marketing landscape can either be a minefield where mistakes can kill campaigns, or a perfectly integrated mix of channels that maximizes the reach of the message and gives a nonprofit the best chance to capture more donor dollars....

ORDER NOW

 

SUBSCRIBE TO DirectMarketingIQ Insider

Receive our FREE
e-newsletter:
     Privacy Policy
 

RETAIL ONLINE INTEGRATION MAGAZINE:

Get Your FREE Subscription to Retail Online Integration:
September/October 2014
     Privacy Policy