Filed Under: Identification and Authentication

Let’s take on takeover

Leave a Comment

I have a client who is a looking to improve their authentication processes. I imagine they are like a lot of organisations. They have a mixed customer base – some comfortable with technology, but others not. They have customers with whom they have regular contact but many who they only see occasionally. Often those customers forget or cannot find their passwords, PINs and other tokens. Consequently many customers end up going through a cumbersome authentication reset process every time they get in touch. Is there a better way?

Well yes, of course there is. We all have strong authentication tokens we use every day – payments cards and mobile phones. Why can’t they be used to log onto other services?

The UK government’s identity assurance programme has set out to solve this very problem. Can I be issued with a digital identity that can be federated across many services – both public and private? To date the programme has focused on public sector services but their attention is now also starting to shift towards the private sector. Actually this is really important for government – they want to be able to share the cost of digital identity with the private sector.

To this end a series of consultation meetings are being held with relevant private sector groups:

https://identityassurance.blog.gov.uk/2015/09/30/private-sector-needs-for-identity-assurance-workshop-dates/

Getting authentication to work for consumers is a big deal. We all grapple with the frustrations of the fragmented approach to authentication every day. But it’s worse than that.

“…112% year-over-year increases in account takeover (ATO) attacks”

[From Information Age: What happens to my data once it’s stolen]

Here’s a real life example of an account takeover a friend of mine suffered recently:

From:  <Redacted>
Date: Wed, Aug 5, 2015 at 7:19 AM
Subject: Re: Follow Up
To: <Redacted>

Legit
—–Original Message—–
From: Steve Pannifer <Redacted>
To: <Redacted>
Sent: Tue, Aug 4, 2015 9:59 pm
Subject: Re: Follow Up
Hi <Redacted>,
Pretty sure this is a phishing email. You might want to double check your email hasn’t been hacked.

Cheers,
Steve

On 4 Aug 2015, at 12:23, <Redacted> wrote:
Hi
I tried several times to send the attachment using PDF but it won’t work so I am sending you the attachment using Google doc, CLICK HERE and sign in to view the attachment.
Hope it works.
Thanks!
<Redacted>

Not only was my friend’s account used to send out spam, I got a reply from the attacker when I challenged it. Also my friend’s financial adviser received a well crafted message instructing the transfer of a significant amount of funds from one of his accounts.

There are actually two issues here:

Firstly, the reason the phishing works is that when you follow the link it’s difficult to tell that the site you are visiting is fake. This is not a problem that the identity assurance programme is currently trying to solve.

Secondly, the reason phishing is done is that the passwords that are collected can then be used to log into other sites that employ weak authentication. And this is where identity assurance comes in.

I hope to see some of you at the consultation events. There is a long way to go and many unanswered questions but this is a problem we need to keep working on.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.