By Steven Hope, CEO and co-founder of Authlogics
Picture this: your customer receives a phone call from a person claiming to be from your bank with an urgent account issue. The person on the phone alleges your customer is locked out of their account or has made a suspicious bank transfer and must answer some security questions to remediate the issue. But how can your customer know whether this is a legitimate phone call or another social engineering scam? Most of the time it is almost impossible to tell the difference before it’s too late. Under pressure and feeling panicked many would give up their information without question and, if it does turn out to be scammer, it could result in financial loss for both your customer and your company, along with reputational damage and a loss of trust. There is, however, a way to ensure that a customer can trust the caller with complete confidence, known as a two-way identification process. This will give both the caller and recipient certainty of each other’s valid identity.
Sometimes it is the simplest attack that can cause the most damage. We have all seen attackers launch massive ransomware attacks using a simple phishing link. While an attacker who uses a novel, ingenious technical method to compromise a network, the reality is that the most effective cybercrime campaigns are often the ones which exploit a vulnerability we have all left unpatched: human psychology. Using phone calls and social media, these attackers trick people into offering them access to sensitive information, often specifically targeting banks and their customers due to the potential financial gain. While identity theft and fraud have been around for a long time, the frequency and success of these attacks have steadily increased, as has the media interest associated with them.
It has become critical to protect user data housed within IT systems. Legislation, such as GDPR means that the penalties could be severe should any type of customer data be compromised, not to mention the repercussions individuals and companies could face. To conform with data protection legislation and to protect business interests, corporations must take steps to ensure that a client’s identity is verified during all phone calls or online communication. There is, of course, also the issue of the legitimate reasons for which your bank may contact you. For example, they may have detected fraudulent or suspicious activity on one of your accounts. These legitimate calls will also ask you to provide the same information that a social engineer would attempt to draw out and the human being working for this institution could still be working as a social engineer independently. So, how can we appropriately verify the legitimacy of an inbound call, when the murky world of social engineering has eroded the trust-relationship between account holder and institution?
To solve this problem, we need to find a mechanism that allows both parties to verify that they are who they say they are. This must be done in a way that does not allow a simple replay of information by a bad actor at a later date. A solution should also be easy to implement and provide easy access for the customer. Since customers are more concerned with the level of service and call time than security, any solution should also be straightforward to use.
One such way is a system of two-way pattern-based authentication. These systems will allow users to generate one-time codes from a pattern displayed on a grid of numbers. Psychologically, humans are far better at remembering shapes and patterns than arbitrary text, such as a password. The pattern itself would remain known only to the user and the numbers on the grid would change every minute, meaning that the ability of social engineers to thwart these patterns is significantly reduced.
Another benefit is that these patterns do not necessarily require an application or technology. For instance, a grid could be printed on a bank statement or utility bill. A customer does not need to have an app installed on a mobile phone or plastic token available to provide their one-time code. Therefore, those who do not have access, the elderly or vulnerable for instance, are able to reap the benefits too, which is of particular importance as these are the demographics most likely to be targeted in a social engineering attack.
Social engineering often bypasses even the best security systems by exploiting human nature. An effective strategy must include information only known to relevant parties and this information should not be divulged as part of the establishment of mutual trust. While this does not make for a completely risk-free authentication process, it does disarm the human psychology factor which has become the social engineer’s greatest tactic.