Responsibility for spotting identity fraud should rest with business, says Bruce Schneier.
With so much money and goods changing hands on the internet, how do you know that a person is who they claim to be?
The perceived and long-held business wisdom is that data security is primarily about identity authentication. I would argue that organisations need to take responsibility, before they are forced to do so.
Online retailers demand a wide range of different ways to check up on you, from chip and pin cards to cryptic user names, passwords and CVV numbers. These are standard phrases when it comes to fraud prevention.
Yet "ID authentication" isn't even close to the current battleground in the business war on cyber crime. Chip and pin or digital signatures are just a small part of a far more complex story.
In terms of responsibility, we've seen a clear shift in recent times from customer to company. But this has not been well publicised. There's still a clear need for the customer to prove who they are. But as we increasingly use personal data online for anything from retailing, banking and paying bills to gambling, there's also a much greater need for the businesses involved to help combat fraud.
How can they do this? Intelligent ID management isn't about authentication. It's about identifying customer behaviour patterns and detecting variations to those patterns, and doing it quickly and effectively. Customers should expect to be called very quickly if a large and unusual transaction is made from their account, even if it is genuine and has passed the normal tests. Otherwise, the business is not fulfilling its responsibility.
Of course, this raises questions about privacy - and an interesting dynamic emerges. We all know how irritating it can be to receive cold calls, junk mail or spam. But if we replaced these methods of unwanted communication with those about a security situation, we would naturally welcome contact, it is faster and more direct.
Why has this come about? Interestingly, it relates back to some of our most basic instincts. We authenticate things visually. When we walk into a bank, we know it's a bank, because it has the marble pillars, smartly dressed bankers behind glass screens, and the corporate logo. So logically, when we go to a banking website, we assume it's a banking website - it has the logo, the expected menus and the correct URL. And, of course, it asks us to verify who we are.
We have not yet adjusted our basic human behaviour patterns to account for the reality that, in the virtual world, things aren't always what they seem. We're not trained to spot websites whose true origins are completely invisible. Even an expert can find it almost impossible to visually detect a fake site from the real thing.
This "man-in-the-middle" attack works with a criminal creating a fake bank website and encouraging users to visit it. A user types in their password, and the attacker in turn uses it to access the bank's real website. If done correctly, the user will never know that they aren't on the bank's website.
Then the attackers can do one of two things. They can disconnect the user and make their fraudulent transactions, or they can pass along the user's banking transactions, while making their own at the same time.
To expect the customer to detect fraudulent transactions is unfair and nonviable. Therefore, the security terrain has to shift. Identity authentication will always have its place, but businesses - for the sake of their reputation and the security of their customers - need to be talking far more about profiles of customer behaviour. The technology has progressed significantly; but it is increased action that is required.
Companies have talked about customer profiling for a while, but always in the context of how to sell more products. Unsurprisingly, the public's reaction has generally been one of disdain. How customers respond to being told businesses need to profile their behaviour for their own security will be an interesting development to watch.
- Bruce Schneier is chief technology officer of BT Counterpane.