By Tom Potterf | Posted on October 16, 2013
Protecting against online crime and fraud in an interconnected, cross-device world is more challenging than ever for companies transacting valuable assets with other companies over the internet, selling products or information in a web application, or under regulatory compliance mandates.
Online criminals are utilizing increasingly sophisticated techniques to gain access to valuable assets, and securing against these threats doesn’t end at protecting the front door. It requires layered defenses and shared security intelligence that looks well beyond IP address, geolocation, and trusting customers’ antivirus.
With Janrain, organizations can enable users to register and sign in using the identities they have already established with Facebook, Google, and Yahoo!, thereby utilizing these top identity providers’ existing state-of-the-art security measures.
For organizations that require deeper levels of security, there are additional strategies that can be deployed to protect the business and customers from online crime and fraud, including two-factor authentication, threat detection, and fraud detection.
One-factor authentication involves something a user knows, typically a password. Passwords can be a secure method provided customers are creating strong ones and changing them frequently…but that approach creates its own set of problems. And even the strongest passwords can be intercepted and captured through a variety of methods, though one-time passwords can be used to enhance the the security of the one-factor method.
Two-factor authentication takes one-factor and adds something a user has, significantly improving authentication security. Customers are familiar with this method. For example, whenever you visit the ATM, you’re using two-factor authentication by inserting your bank card (the thing you have) and inputting your PIN (the thing you know).
Online, two-factor authentication can involve a digital certificate (when accessing a VPN for example), a physical token, or a tokenless approach where customers access a website by using an app on their verified mobile device to scan a QR code on a website to authenticate their identity.
Depending on the needs of the organization, security threats can be detected and risks mitigated through a variety of methods.
Device identification helps organizations validate returning customers for online access and transaction requests by detecting device attributes and anomalies. If a device has been compromised, risk mitigation actions can be taken based on the requirements of the organization and type of transaction.
Threat detection also involves the ability to detect, assess, and act on desktop, laptop, and mobile devices that have been compromised by botnets deployed from IP-masking proxies and VPNs, malware or OS-level rootkits surreptitiously installed on poorly-protected customer devices, and man-in-the-middle attacks that intercept sessions and inject new messages that pose as authentic business transactions/conversations in order to hijack authentication keys and obtain other personal data.
This data can also be aggregated with other transactional data to create incredibly accurate risk assessment tools for all kinds of application requests.
Sophisticated fraud detection methods build behavioral profiles from past user behavior and then compare that to visitors to determine if they are who they say they are.
Peoples’ social behaviors across social networks create a unique and hard-to-replicate signature that is a powerful method to assert an authentic online identity. When a new user registers using social registration or a form, your site queries a third-party provider that computes an authenticity score and is either verified, sequestered, or rejected for an account creation.
Through social login, organizations can rely on the top identity providers state-of-the-art identity verification methods, systems, and full-time security teams. By enabling account creation through a major player like Facebook, Google, or Yahoo!, there are substantial privacy and security advantages of social login.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…