Industry talking to customers What's this? How Multifactor Authentication Can Help Combat Cybercrime Published: October 19th, 2016 By: IT World Canada Staff The digital era is in full swing and there’s no denying that it has made our daily lives infinitely easier. As businesses and individual consumers conduct more and more transactions online, criminals have been quick to exploit this trend. The abundance of publicly available information available online has made it much easier for cybercriminals to gain access to the online accounts of both businesses and consumers. For example, it is not uncommon to find the answers to commonly used “personal” security questions (e.g. “What is the name of your first employer?” or “What is the name of your high school?”) on social media channels such as Facebook or LinkedIn.Password Technology is Making Cybercrime EasierAlthough 8 out of 10 mobile users do their banking using their smartphones, a large percentage of online transactions are still completed on laptops. In fact, 72.5 percent of online transactions were completed using laptops in 2015 – smartphones only accounted for 16 percent of online transactions, and tablets accounted for 11.5 percent. The overwhelming majority of online service providers rely on ‘user name and password’ combinations to recognize an account owner who they have established relationship with. When a correct combination of a user name and password is entered, the account owner is authenticated, and given access to whatever they are entitled access to. With its inherent weaknesses, the ‘user name and password’ authentication method has become the target of two out of every three cyberattacks. . Simply put, any account that relies on ‘username and password’ for account access faces a high degree of risk of being compromised. This makes switching to a higher level of secured access for both online service providers, and consumers, extremely critical. The increase in cybercrime has given rise to a norm of forcing periodic password changes and demanding increasingly complex passwords. These changes could include things like increasing password length, using a combination of upper / lower case letters, special characters and numbers, making it more and more difficult for legitimate users to remember their passwords and get access to their information. Increased password complexity has resulted in many users using the same password for multiple accounts online. While this may make things easier to manage for users, it also makes it much easier for cybercriminals to gain access to several accounts, once they have hacked their way into one. An alarming 63 percent of account breaches occur due to lost, weak or stolen credentials. Victimized consumers have to spend a lot of time and effort to get their finances and accounts reinstated, a process that might take several months in cases of major identity theft. In many cases, the emotional turmoil and monetary loss simply become the victim’s burden to bear. On average, a business spends $1 million recovering from a successful cyberattack. In most cases, it is businesses that bear the risk and liability of fraudulent transactions. The mounting losses of companies that have succumbed to account takeovers runs into the billions, underscoring the importance of a new, more secure way of approaching online authentication. Multi-factor Authentication is the Way to GoFinancial Institutions have taken great steps to combat in-person fraud. The implementation of ’Chip and PIN’ technology on debit and credit cards has proven to be a fantastic way of decreasing banking fraud and identity theft. Prior to the implementation of ‘Chip and PIN’, it was the norm that possession of a bank card alone was enough in order to be able to use it. Banks quickly recognized the weaknesses of a single factor of authentication (i.e. “something you have” in this case) and decided to work together to roll out more secure methods across Canada. The simple implementation of the concept of ‘multifactor’ authentication involves something you have (i.e. your bank card) and something you know (i.e. your PIN) has reduced in-person transaction fraud by nearly 90 percent. However, it has also resulted in a shift to online transaction fraud where multifactor authentication is not yet available in any significant scale. Additionally, the focus has mainly been on safeguarding transactions of a tangible financial value and not towards safeguarding personal information, which in many cases may be invaluable.Multifactor authentication is becoming more popular to get access to online websites and is clearly a step in the right direction. There are many implementations of the additional factor of authentication including scanning a fingerprint, entering a one-time passcode (typically sent via SMS), answering a security question, or using a USB hardware token. However, even the most popular of these, the one-time passcode, which is used extensively by a number of major web properties, has already proved to be vulnerable to cybercrime. It is for this reason that the U.S. National Institute of Standards and Technology (NIST) is now poised to ban the use of SMS-based two-factor authentication codes for services that plug into government IT systems.While adding even one more factor improves security dramatically, it often comes with an equally dramatic negative impact on user convenience. The more authentication factors a user needs to meet to access information and prove who they are, the more inconvenient it becomes for them.TELUS Bridges the Gap between Security and Convenience TELUS understands the importance of utilizing multifactor authentication to improve security. Equally important, is the need to make authentication more convenient for business and consumer users. TELUS will be the first carrier in Canada to pilot Mobile Connect, a simple, smartphone-based authentication solution that is designed to be deployed by a variety of online service providers that value security and customer convenience, such as financial institutions, governments, healthcare service providers, utilities, insurance companies, etc. Mobile Connect, combines the increased security of multifactor authentication with a focus on ease of use and customer convenience. The simple authentication experience is similar to a two-factor system, but utilizes mobile network intelligence as a third authentication factor. Our goal is to enable every Canadian to use their smartphone to access their favorite online services safely, securely and conveniently.Intrigued? Keep watching this space! Next week will be inviting TELUS subscribers to participate in a pilot test of Mobile Connect, a new way of accessing popular online services, starting with TELUS My Account. Don’t let cybercrime ruin your online experience, and your identity. Take control of your digital life.This article is one in a series sponsored by TELUS to provide advice and expertise on digital identity management for organizations. For more information, please email DigitalIdentity@telus.com.