Non-repudiation: the buzzword that should be on every company's mind

Biometrics must be used at log-in, and also to authenticate transactions identified by the company as material, says Nick Perkins, division director: Identity Management at Bytes.

Nick Perkins divisional director identity management solutions Bytes Systems Integration
Read time 3min 30sec
Nick Perkins divisional director identity management solutions Bytes Systems Integration

Most fraud is committed by a company's employees - the old clich'e: "It must have been an inside job," is right on the mark. Non-repudiation is the buzzword for security systems that discourage such practices, and if a fraud is committed, that enable companies to pinpoint without any doubt the employee who committed it.

PWC's most recent biennial global economic crime survey[1] shows that South Africa has the second-highest rate of reported fraud, just behind Kenya. The survey also shows that asset misappropriation (72%), accounting fraud (24%) and bribery and corruption (24%) remain the most common types of fraud. The first two, it should be noted, are largely the preserve of insiders.

"The key defence against fraud perpetrated by insiders is first of all to establish that the employee's identity is real - is Sipho Khumalo actually Sipho Khumalo or somebody assuming that identity? - and then to be able to link each material transaction to a specific employee in such a way that his or her responsibility cannot be repudiated," explains Nick Perkins, division director: Identity Management at Bytes.

"Having such a system in place won't prevent fraud, but it will certainly discourage it. It will also give companies the confidence to pursue the fraudster through the courts or, at the very least, to be able to discharge them summarily. In industry jargon, this is 'non-repudiation' - creating a link between an individual and a transaction that cannot be queried."

Perkins says non-repudiation falls into two parts. First of all, an individual's identity must be authenticated, usually against the Home Affairs fingerprint database and typically during the hiring process. Once that is done, it's possible to use other databases to check whether that individual has any history that the company should be aware of, such as a criminal record.

"Most companies are fairly conscientious about this aspect, but the security starts to fall down when it comes to the audit trail of each employee's transactions on company systems," he says.

The real trouble here is that most companies rely on two security approaches that are basically easy to circumvent. These two approaches are based on "what you have", for example, a card, or a card plus a PIN ("what you have and what you know"). While the latter is more secure than the former, experience shows that both are open to abuse. The only secure way to link a specific transaction to a specific person is via an object, a PIN and a biometric identifier.

In the end, it's virtually impossible to prove that a transaction authenticated by an object or an object plus a PIN was beyond doubt performed by a specific person. It's always possible to argue that somebody else stole the card and/or found out the PIN.

The answer, Perkins says, is to use biometrics not only at log-in, but also to authenticate transactions identified by the company as material. In such cases, the individual responsible for the suspect transaction can be accurately identified beyond doubt - true non-repudiation.

"As incidences of internal fraud continue to rise, expect to hear 'non-repudiation' in corporate corridors more and more frequently," Perkins notes. "While it's particularly focused on internal fraud, financial institutions, for example, are beginning to use it in certain cases to establish contracts with customers that cannot be repudiated. A person's identity has always been important on a number of fronts - now it's becoming a business issue of key importance."

[1] Cybercrime: protecting against the growing threat. Global Economic Crime Survey (November 2011), available at

Bytes Systems Integration ("Bytes SI")

Bytes SI, A Division of Bytes Technology Group SA (Pty) Ltd, is a company that designs, implements and operationally manages customised ICT infrastructural services and solutions, through the integration of hardware and software systems from global technology leaders.

These services include end-to-end I.T. outsourcing, high-tech multimedia and social media contact centres, Internet Protocol (IP) voice, radio, unified and mobile communications, structured cabling, LAN-WAN data solutions (BytesNet), Biometric and Identity Management solutions. Increasingly, BytesNet has become a leader in innovative cloud-based solutions to both national and international customers.

Bytes SI's workforce management division offers time and attendance solutions, access control, overtime costs, leave and absenteeism management, biometric authentication, turnstiles and booms. Its indirect labour management solutions include CCTV and intelligent building management. Kronos, the global leader in delivering workforce management solutions in the cloud, is distributed by this business unit.

Global technology leaders represented by Bytes SI include Alcatel-Lucent, Bluecoat, Checkpoint, Cisco, DataVoice, Dell, Exinda, F5, FrontRange, Genesys, HP, IBM, Juniper, Kronos, Microsoft, NetApp, Riverbed, Schneider, Symantec and VMWare.

Editorial contacts
CommunikayKaren Heydenrych(083) 302
Bytes Systems IntegrationLise West(011) 205
Have your say
a few seconds ago
Be the first to comment