Crime and security are here to stay. The ‘Have-Nots’ look with longing eyes at the assets of the ‘Haves’. Technology has made the world smaller and the transgressors can be continents away. By default this means that security is an ever increasingly important requirement. Much as they despise each other, security and crime are shackled at the ankles.
Security wouldn’t exist without crime and crime exists by getting around security. And like it or not, they have a lot in common. Security and its nemesis are built on the same value/effort model. Anyone committing to more security is faced with the question: does the value outweigh the effort (the time and money involved)? Anyone committing a crime is faced with the same question, only the criminal also needs to add risk to the ‘effort’ side of the equation. In the end, the equation works the same way for both: The more valuable a crime, the more effort is spent committing it. The more valuable an asset, the more effort is spent protecting it.
Security and crime’s interconnected existence has another interesting aspect to it. In today’s world, security is the child of technology. And the more technology – and therefore security – advances, the more crime evolves. In part, crime’s evolution is pure necessity: as technology breeds better security, crime must evolve to keep ahead. But there’s an added irony: technology’s advancement also provides increasingly more opportunities for criminal activity. Thanks to technology, certain types of crime that previously involved high effort for low value are now offering high value for low effort. A perfect example is the theft of money from bank accounts. Ever since the arrival of online banking, this crime has been far easier to commit than physically storming the Bank Branch with automatic weapons.
In the past, stealing money from someone’s bank account using technology was a difficult, expensive and risky endeavour. It was possible, but not really worth the effort when weighed against a number of obstacles:
- not being able to easily obtain access to a customers account; and
- not knowing the crime’s value, i.e. the amount in the victim’s bank account.
But today, technology gives criminals a way around these obstacles: online banking. Crime’s answer to which is a fraud genre called “social engineering” and the main tactic is known as “phishing”. By masquerading as a valid online website, a criminal can steal the “keys” to a person’s bank account by copying the username and password. Even if the ruse only works on a small percentage of customers (current research says it works with around 2.5% of all attempts), the criminal can get away with millions; and when 10,000 people give you their pins and passwords, it negates the need to know what’s in each bank account. On the ‘effort’ side of the equation, phishing involves relatively little risk (your identity and location can be hidden), and costs relatively little time and money.
It’s therefore unsurprising that phishing has grown dramatically in the last 18 months, fast emerging as a popular low-effort high-value crime – especially in the banking sector. And considering crime and security’s interrelated nature, it’s also no surprise that online security is mounting a counterattack. Interestingly, the weakest link isn’t technological. It’s human. Phishing preys on human characteristics, like trust. We trust that the email which says it’s from our bank is from our bank and that the website we log onto belongs to the bank – and happily ‘reveal’ our pins and passwords. Even with multitudes of warnings about fake websites, people are still getting caught every day – hook, line and sinker.
For banks, the risks are too high to let this trend continue. They’ve finally had to admit that ‘First Factor Authentication’ – pins and passwords – isn’t enough. Criminals are getting the better of the system and it simply has to be improved. Which means strengthening the weakest link: us.
Enter ‘Second Factor Authentication’ – an extra layer of security wrapped around the first that negates the human factor by introducing a physical device. While First Factor Authentication is still in place, secure access can only be initiated by first using the physical device to authenticate your identity. The device can take a number of forms, such as:
- a mobile phone (to which a use-once pin is sent);
- a plug-in USB device (with a specific key); or
- a software package (with a specific key).
Second Factor Authentication eliminates the risk posed by the human factor: even if we unwittingly reveal our pin and password to a criminal in a phishing attack, the information is rendered useless. Since the device has to be present when the pin and password are entered, the power has been wrestled away from the phisher and handed back to the bank and its customer. Criminals now find themselves back at Square One: to rob a person’s bank account, the physical device needs to be stolen or replicated, weighing heavily on the ‘effort’ side of the effort/value equation.
So now, banks are increasing their security and therefore the effort needed to steal from them via the Internet: online security is a step ahead of crime. The question is, how big is that step? Security improvements are technologically born, and time has shown that for every evolution in technology, there’s an evolution in crime. While Second Factor Authentication may well slow online theft in the short-term, hindsight says it’s just a matter of time before crime evolves a way of getting around it. And what then? Third Factor Authentication?
Wrapping new layers of security around the old ones is a Russian doll solution that becomes more and more inconvenient for the customer with every layer added. If online banking is to break free from the shackles of crime and remain a viable tool in the future, we need to take more than another step – a quantum leap is required. A completely new way of solving online authentication that makes it difficult for crime to catch up – or at the very least heavily increases the effort for criminals and radically reduces the value of the crime.