Avivah Litan

Banking institutions and other businesses must continually collect information about their online customers to ensure stronger authentication, says Avivah Litan, a fraud expert and analyst for the consultancy Gartner.

"You have to assume the criminals can get through one layer [of authentication]; they can get through two, they can even get through three," she says during this interview with Information Security Media Group [transcript below]. "But if you have multiple layers, up to five, and you're continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape."

Continuous authentication relies on a number of factors, such as how often the user typically accesses an account from a mobile device or PC, how quickly he types in his username and password, and the geographic location from which he most often access the account, Litan says. By continuously monitoring these behaviors, organizations can substantially improve their ability to detect when an unauthorized user is trying to access, for example, a bank account, as well as determine whether an account has already been compromised, she adds.

"You're continuously trying to verify if all this looks like the person you think it should be," Litan says.

During this first part of a two-part interview, Litan discusses:

The failures of knowledge-based authentication; Why socially engineered schemes are moving beyond phishing; and Technologies and educational campaigns all institutions need to implement to reduce fraud losses.

In part two of this interview, Litan discusses steps organizations are taking to fight call-center fraud.

Litan recently spoke about stronger authentication techniques during a presentation at ISMG's Fraud Summit. A video of her presentation is available on ISMG's Fraud Summit page.

Litan is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.

Why KBA Fails

TRACY KITTEN: Avivah based on recent research that you've conducted, you've identified significant weaknesses in standard authentication practices used for online account access. So-called knowledge-based authentication is insufficient, you say. Can you explain why KBA fails?

AVIVAH LITAN: First, let me just say that this issue of KBA failures and problems has been coming up for a few years. KBA is knowledge-based authentication based on external data, and it's a very convenient method for banks and other companies to use to prove an identity when they are conducting a high-risk transaction. So for example, if you are cashing out an annuity as a consumer and you call the call center, the call center is going to start asking you to answer these secret questions. So it's very convenient. But for a few years now, we've been hearing complaints from our customers that the failure rate on KBI is on average 10 percent to 15 percent and sometimes it can go as high as 30 percent.

For example, some of our healthcare insurance clients insure populations without a lot of credit history - new immigrants or students. We see the same thing in universities. We've been hearing about these high failure rates for a few years ... and when we looked into it, what we found out is most of the failures are good people that can't answer the questions. So either there is not enough data on them because they are a new immigrant, for example, without a lot of data, or it could be that there is a typo in the credit record, or it just could be that the people that do have questions don't know what the answers are. It has happened to all of us because, for example, if you're asked where your mortgage is held, your mortgage may have been sold to three companies that you don't even know about and you're still paying the old company when you write the check but there is really a third company behind the scenes.