Fuelling cyber crime
The failure of identity control means cyber crime will continue to flourish.
If there is one positive lesson that can be learnt from the January cyber theft at Postbank, it is this: cyber crime can be prevented. There just needs to be more effective controls over who can do what within companies' IT systems.
The simple abuse of identity lies at the very heart of most cyber crime.Mark Eardley is channel manager at SuperVision Biometric Systems
Media reports about Postbank's R42 million loss suggest the straightforward exploitation of employees' usernames and passwords allowed the cyber villains to transfer money to multiple mule accounts opened late in 2011.
Some might argue that protecting the bank's money with nothing more than a password or PIN is an open invitation to get ripped off.
Others might say the bank's procedures for confirming the identities of account-openers were probably a bit behind the times.
Either way, there is a common theme here: failure of identity control.
This really should come as no surprise. Such elementary failures are a common denominator across the full spectrum of cyber crimes. From the theft of SecurID secrets from RSA (EMC) last year and the recent Postbank incident, through to mundane phishing mails that target online banking credentials, the simple abuse of identity lies at the very heart of most cyber crime.
And the reason for this is pretty obvious: absolutely anyone can use another person's PIN, card or password.
The longstanding reliance on these traditional credentials means there's no way to tell the difference between one person and another, no way to distinguish between legitimate system users and the villains.
Result? Cyber crime will continue to flourish, so expect to hear of ever more woeful failures of IT security.
Learning from physical security
About six or so years ago, there was a sea-change in the way identity is controlled within the South African workplace.
Local organisations have been replacing cards, PINs and passwords with fingerprint identification to strengthen physical security, and more accurately, monitor people's attendance, location and activities.
Competent fingerprint technology has proven its effectiveness in environments ranging from mines, factories and warehouses to schools, residential estates and offices.
And these are not quirky, once-off solutions. Marius Coetzee of Ideco Biometric Security Solutions says the company has supplied over 70 000 fingerprint readers in SA to securely manage the identities for more than 2.5 million people.
According to Coetzee: “This large-scale use of biometrics in physical security makes SA one of the world's biggest markets for fingerprint-based identification. It is also overwhelming proof that the technology is a practical, cost-effective means of cutting losses by more securely protecting assets through rigorous identity control.”
Is stronger identity control a silver bullet against cyber crime? Sadly, it isn't. Nothing is. But it is a route that can be followed right now, and it can close the biggest loophole of them all in corporate IT security.
If companies can more accurately identify authorised users, they remove the cyber villains' ability to mask their activities under a cloak of legitimacy.
Within corporate IT systems, modern fingerprint technology can provide far more accurate identification - offering an immediate level of security way beyond that of conventional credentials.
In comparison to the glaring vulnerabilities created by passwords, PINs and cards, fingerprint-based identification presents a formidable barrier to illicit access and activity - right now.
Coetzee says: “Multifactor authentication can raise that barrier even higher - for example, by combining biometric authentication with a smart card or by using two forms of biometric technology, such as simultaneous fingerprint and finger vein recognition, we can create additional layers of security in one identity process.”
Of course, if users believe in silver bullets and that cyber villains are actually vampires, then lock and load. But in the real world, it's clear that biometrics can massively reinforce security and provide a potent antidote to the cyber crime plague by tracking who did what within an IT system.
And there's an example from Postbank to prove it. Amid all the news about that cyber theft and the call for SA to introduce statutory policies to combat the cyber monster, I was amazed to discover that in August last year, Postbank appears to have erroneously transferred another R42 million into the account of a young South African woman.
I wonder whose password authorised that?
** Coetzee and Eardley will speak at ITWeb's Governance Risk and Compliance Conference 2012, on 21 February.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.