Tackling identity fraud on your customer’s behalf
by: Peter Tippett
Many corporate IT security professionals throw up their hands suggesting that there is little that can be done by corporations to reduce the risk of phishing and identity fraud perpetrated directly against their consumers. But actually the visibility that identity fraud, phishing and direct end-user attacks brings allows for forward-thinking organisations to both significantly assist their consumers / users, and to get market value and positive customer recognition for taking steps to “take care” of their customer.
|The various risks related to Identity Management, Identity fraud, identity theft, phishing, etc. are the most rapidly growing and most recently visible to consumers and businesses alike. I spoke with a representative of over 6,000 small & medium banks and credit unions who told me the number one information security issue on the minds of senior executives at those organisations is identity theft and specifically phishing. He thought it the number one top of mind issue even though only a few dozen of the organisations or their customers had actually been targeted in a phishing attack for example. Many of the successful attack vectors focus on attacks against the consumer – through viruses, worms, Trojan horse software, back-door programs, keystroke loggers, and bots. Bots alone have “infected” millions of home computers using them both to steal account and personal identifying information, and to obscure the attacks against others by relaying the various stages of the attacks across and through millions of innocent, but compromised home user’s computers.
Many corporate IT security professionals throw up their hands suggesting that there is little that can be done by corporations to reduce the risk of phishing and identity fraud perpetrated directly against their consumers. But actually the visibility that identity fraud, phishing and direct end-user attacks brings allows for forward-thinking organisations to both significantly assist their consumers / users, and to get market value and positive customer recognition for taking steps to “take care” of their customer. Taking these steps brings both higher customer perception of value, and reduced risk to both the corporation and to its clients. Where it is feasible and cost effective, it even makes sense for an organisation like a bank to extend its “trust” message by implementing and potentially providing it’s on-line customers with mechanisms and countermeasures that reduce risk not only when doing business with your organisation, but also when those customers are using their computer for other purposes.
As with any computer security problem a suite of a dozen or more complementary (Cybertrust calls them “synergistic”) approaches are usually both less expensive and more powerful than looking for one or a few very powerful countermeasures. This is even more true when working to protect customer-directed attacks because of the indirect nature of the countermeasures that can be deployed.
And as you deploy countermeasures to benefit you and your customer from identity fraud and related attacks, you should, as always, focus on those countermeasures that provide some measurable risk-reduction value, and which are very inexpensive to deploy and maintain and which also improve the user experience, or at the very least, have no adverse impact on the user experience. Measures that provide small, incremental risk reduction, and which are easy, inexpensive, low maintenance and non-intrusive provide win-win value to everyone. Those which actually improve the user experience with your company also can improve the relationship between your company and your customer. Telling your customer what you are doing for them through your organisations marketing, billing and other customer touch points, can both improve the relationship and provide a valuable means to educate your customer on good security practices.
Some ideas for complementary countermeasures might include: notes in billing statements providing do’s and don’ts of safe computing. Notices of pending programs that you are deploying on your customer’s behalf. Establishing a monitoring service to watch for attacks perpetrated anywhere by anyone using any of your corporate brands.
Establishing a rapid response service that will quickly shut down any attack near its beginning, along with the infrastructure that supports the attack. Providing stickers, messages on your credit cards, magnets, or other trinkets that promote trust in your organization and tips for your users. Providing your consumers with client-side certificates to compliment your user login or PIN system. Client-side (browser) certificates have the advantage of allowing your organisation to more fundamentally identify your electronic visitors, AND can reduce the work and complexity of the consumer experience with your commerce or transaction servers. Such certificated can be invoked simply and without the usual registration and revocation fanfare associated with certificates, and can be very inexpensive, but can provide your organization increased value as well as your customers. Once deployed, you might even offer login without passwords for users who are using their usual computer to visit your site. Updating your web server certificates to kinds that are offered by Cybertrust and teaching users how to double click on the lock to double check site authenticity. Cybertrust can suggest dozens of countermeasures, programs, marketing-tie-ins, tools you or your customers may want to use, and much more.