- Stop saying “we’re too small to worry about account security.”
According to the Ponemon Institute, 55% of small business across the U.S. had some form of data breach and 53% had multiple data breaches. 50%+ is a scary number. Criminals have devised increasingly clever ways of using private data — even data that doesn’t seem particularly sensitive — and know that small companies often take shortcuts with system security. Smaller companies are targeted by data thieves, often as a result of employee or contractor mistakes; lost or stolen laptops, smart phones and storage media; and procedural mistakes. But, increasingly, bad guys are exploiting the front door of small websites — the login experience – to take over existing accounts and benefit from the added layer of trust. Detecting account takeovers requires building online models that look for anomalous behavior on a user-by-user basis.
- Don’t rely solely on usernames and passwords.
The username/password approach to security on the Web is woefully insecure and in need of updating. Passwords are breached, email addresses are stolen, phishing attacks hook the unwary, and identities are stolen. With the rise of remote hacking attempts, the interconnectedness of all our services, and the prevalence of password reuse, it’s not even your site policies that matter, but a breach on any site where one of your users might have recycled the same password. Sites need to look for behavioral risk signals that go above and beyond knowledge of the password, and need to step up to additional authentication channels like SMS or voice when risk warrants it.
- Capture and verify your user’s phone number at registration.
If you collect the user’s phone number up front, it enables all kinds of other downstream benefits like simplified password resets and emergency communications. For many enterprises that manage online accounts, help desk calls related to password resets can comprise as much as 35% of all inbound calls. If you have already captured a valid phone number upfront, businesses can simplify and automate the password-reset process by sending a verification code to the user’s phone number. Plus, if you have captured a valid mobile phone number, you can easily send out secure messages if there was ever was a data breach (notifying users to change their passwords pronto). That’s why leading web properties are now capturing and verifying phone numbers with new users as a means of establishing their mobile identity. In fact, Facebook now lets users use their phone number as their username – it’s far easier to remember and even easier to enter digits on the numeric keypad.
- Dynamically assess the risk level of users at signup and login (allow, block, or challenge with two-factor authentication).
Authentication is about more than just whether the user has the correct credentials. For years, high-security sites have performed sophisticated, real-time risk assessments to determine the appropriate authentication and permissions necessary. With the rise in account hijacking, now all sites must perform a similar assessment. The best systems analyze login and signup information in real time, looking at device, network, location, and behavioral signals to determine the riskiness of the session. Cloud-based solutions take this even further, comparing signals on your site with those of similar sites around the world. After all, legitimate users behave in predictable patterns, while malefactors stand out by their behavior.
- Automate, simplify and secure the password recovery process.
For many online web properties that manage online accounts, help desk calls related to password resets can make up as much as 35% of all inbound calls. In an effort to save costs, many sites provide automated reset capabilities, but overlook the security vulnerabilities introduced by recovery questions, form-based processes, and even email-based resets. Ensure these recovery flows are protected with the same behavioral analytics as your main login page. Moreover, rather than sending a password through insecure email notification or requiring users to call into a help desk, consider a one-time code via SMS (text) or voice message to the user.
- Restrict privileges with granular permission levels based on a user’s risk score.
After you have scored your user at signup and login, it’s important to dole out the right level of permissions based on that score. A user logging in from home may get complete access, while a questionable login from a cyber café in the Philippines may warrant a more restricted, “quarantined” experience. Make plans now for limiting access to the riskiest and most sensitive features of your site.
- Monitor suspicious behavior with real-time intelligence and alerts.
Authentication is only part of the puzzle; even if users successfully make it through the front door, sites must proactively monitor for anomalous behavior to ensure against account hijacking. Ensure systems are in place to track and analyze user behavior throughout the site, guarding against compromise, session takeover, and site vulnerabilities. In addition, ensure someone or some system is monitoring for password cracking and other suspicious attempts.
- Train customer support staff about social engineering.
Although many online companies invest in technology to thwart online fraud, many have ignored protecting their own call center. Fraudsters will often call several times to the same call center, talk to different agents, receive disparate pieces of information, and then piece them together to complete the account hijack. When they gain enough information to masquerade believably as if they were the true account holder, they call back to change the password or the shipping address. If they reach a more experienced agent who refuses to make the account changes, they simply call again to connect with a different agent, requesting the account changes again. These same social engineering tactics have been used against online retailers in an attempt to convince customer service representatives to share or change account details.
- Keep administration and maintenance time close to zero.
While some solutions require you to maintain a fraud analysis team that can devote hours and days to writing complicated rules, the complexity, cost, and latency often leave sites exposed to attack. Instead, look for systems with intelligent, learning algorithms and easy-to-code APIs to keep administration and maintenance time close to zero.
- Salt, double-salt, and add a dash of pepper to your passwords.
The first rule of handling passwords is that you should never store them in the clear. There is no good excuse for it whatsoever. Instead, what we do is “hash” the passwords using a non-invertible function. When the user supplies a password at login time, it, too, is hashed; that value is compared with the stored one. But, before you hash the passwords, you should “salt” them by adding a few bytes of random data. Just to annoy hackers and spoil their perfectly good day, you should add a variable salt, which varies for all users. Double salting passwords and storing the second salt somewhere other than the original database makes them nearly impossible to crack. By adding ‘salt’ to password hashes, sites reduce the ability of attackers to rely on previously computed lists of common passwords.
It’s time to take a more holistic approach with new tools that are now available to give your website or mobile app an upper hand in combatting fraud. It starts with shutting the front door and preventing bogus accounts from being created.