Non-repudiation: the buzzword that should be on every company's mind
Biometrics must be used at log-in, and also to authenticate transactions identified by the company as material, says Nick Perkins, division director: Identity Management at Bytes.
Most fraud is committed by a company's employees - the old clich'e: "It must have been an inside job," is right on the mark. Non-repudiation is the buzzword for security systems that discourage such practices, and if a fraud is committed, that enable companies to pinpoint without any doubt the employee who committed it.
PWC's most recent biennial global economic crime survey shows that South Africa has the second-highest rate of reported fraud, just behind Kenya. The survey also shows that asset misappropriation (72%), accounting fraud (24%) and bribery and corruption (24%) remain the most common types of fraud. The first two, it should be noted, are largely the preserve of insiders.
"The key defence against fraud perpetrated by insiders is first of all to establish that the employee's identity is real - is Sipho Khumalo actually Sipho Khumalo or somebody assuming that identity? - and then to be able to link each material transaction to a specific employee in such a way that his or her responsibility cannot be repudiated," explains Nick Perkins, division director: Identity Management at Bytes.
"Having such a system in place won't prevent fraud, but it will certainly discourage it. It will also give companies the confidence to pursue the fraudster through the courts or, at the very least, to be able to discharge them summarily. In industry jargon, this is 'non-repudiation' - creating a link between an individual and a transaction that cannot be queried."
Perkins says non-repudiation falls into two parts. First of all, an individual's identity must be authenticated, usually against the Home Affairs fingerprint database and typically during the hiring process. Once that is done, it's possible to use other databases to check whether that individual has any history that the company should be aware of, such as a criminal record.
"Most companies are fairly conscientious about this aspect, but the security starts to fall down when it comes to the audit trail of each employee's transactions on company systems," he says.
The real trouble here is that most companies rely on two security approaches that are basically easy to circumvent. These two approaches are based on "what you have", for example, a card, or a card plus a PIN ("what you have and what you know"). While the latter is more secure than the former, experience shows that both are open to abuse. The only secure way to link a specific transaction to a specific person is via an object, a PIN and a biometric identifier.
In the end, it's virtually impossible to prove that a transaction authenticated by an object or an object plus a PIN was beyond doubt performed by a specific person. It's always possible to argue that somebody else stole the card and/or found out the PIN.
The answer, Perkins says, is to use biometrics not only at log-in, but also to authenticate transactions identified by the company as material. In such cases, the individual responsible for the suspect transaction can be accurately identified beyond doubt - true non-repudiation.
"As incidences of internal fraud continue to rise, expect to hear 'non-repudiation' in corporate corridors more and more frequently," Perkins notes. "While it's particularly focused on internal fraud, financial institutions, for example, are beginning to use it in certain cases to establish contracts with customers that cannot be repudiated. A person's identity has always been important on a number of fronts - now it's becoming a business issue of key importance."
 Cybercrime: protecting against the growing threat. Global Economic Crime Survey (November 2011), available at http://www.pwc.com/en_GX/gx/economic-crime-survey/assets/GECS_GLOBAL_REPORT.pdf