Accurate identity authentication simply has to be the foundation for accurate identity management. If we can’t positively identify people, then what hope do we have for managing their access and activities?
It may be an inconvenient truth, but the exploitation of traditional access credentials such as cards, PINs and passwords (CPPs) lies at the heart of the routine acts of fraud that happen on a daily basis within the workplace. The reason for this is alarmingly simple: anyone can use your card, your PIN and your password – and you can use theirs. As a barrier to unauthorised access and illicit activity, these conventional credentials are hopelessly inadequate. This is so because they cannot authenticate the identity of their user. In short, they are a flaw at the core of corporate security.
From the persistent losses caused by buddy clocking through to fraudulent EFT payments, the risk of identity-based fraud extends into all the areas in an organisation where there is a requirement for people to use CPPs.
During the past forty or so years, CPPs have come to be accepted in the same way that we accept, say, the strange quirkiness of the Qwerty keyboard. Perhaps an ingrained familiarity with CPPs is partly to blame for a lack of rational assessment of their shortcomings as a modern security measure. That’s not to say that there have not been developments in how CPPs work. Passwords have become more complex and are often automatically changed on a regular basis. They have been linked to personal identity numbers (PINs), and more recently, to one-time PINs and smartcards.
But the flaw at the core endures. Irrespective of their complexity, CPPs are either accepted or rejected based exclusively on their validity, not on the identity of the user. They can never authenticate the identity of their users because their use cannot be restricted to a specific person.
Learning lessons from physical security
Today, thousands of South African organisations are running biometric-based systems that safely, securely and accurately control access to the workplace for well over two million local people. Some of those organisations have gone a step further and integrated biometric access control with their time and attendance and payroll systems.
The straightforward business case for replacing CPPs with biometric-based authentication within such systems is well proven: the technology cuts the repetitive losses caused by unauthorised access and buddy clocking. The migration from CPPs to biometrics has been so extensive that South Africa is now one of the world’s largest and most diverse markets for a form of authentication that recognises people for what they are – people – not a plastic card or a bit of inanimate code.
And yet we have still not seen a large-scale adoption of these authentication methods within digital systems where the risks created by identity-based fraud are of a magnitude far greater than, say, the risks associated with buddy clocking. This would suggest that organisations need to review how identity is authenticated across every aspect of their operations. not just at the front gate and in their payroll management.
Failure to authenticate
The range and scale of the vulnerabilities caused by CPPs is increasing as organisations become more and more reliant on IT systems in their business processes. The increased convenience and efficiency generated by digital systems quite clearly comes hand-in-hand with increased risk arising from inadequate identity controls.
If we can’t authenticate identities within all of our workplace systems, and we certainly can’t with CPPs, how can we securely control what happens within increasingly digitally-based processes? We can’t. It’s as simple as that. Which means that the problem is out of control and getting worse. Failure to Authenticate (FTA) is now a widespread, entrenched problem. Acquiring someone else’s identity credentials is an obvious way for internal and external fraudsters to masquerade as legitimate, authorised users in order to perform activities that appear to be entirely genuine.
A prime example of the consequences of FTA are the repetitive losses incurred as a result of buddy clocking. This particular type of workplace fraud illustrates how the use of other peoples’ credentials makes it so easy to abuse systems whose security depends on identifying users.
Other examples of FTA appear in the media on a regular basis. In January 2012, Postbank was robbed of R42m by insiders who apparently used the access credentials of fellow employees to transfer the funds. A few weeks later, a court found that an employee of FNB had used a keylogger to capture her colleagues’ passwords in order to transfer R27.3 million from a corporate client’s account.
The Bellville Commercial Specialised Court in Cape Town regularly convicts insider fraudsters for making illicit EFT payments. In April this year, a bookkeeper was convicted of transferring over R2 million to her own account over a period of two years. In May, another bookkeeper was convicted of stealing R4.5 million over three years. That money was supposed to be paid to SARS but was transferred to the villain’s account. A credit control manager was convicted in July of making over R1.5 million in fraudulent payments to himself.
And, to keep things right up to date, yet another bookkeeper was convicted in September of transferring over R1.4 million to herself in a 12-month crime spree. It just goes on and on and on.
Dumb users or dumb systems?
There’s an old saying that people are the weakest link in security and that so-called ‘dumb users’ are always the fly in the magic ointment designed to protect corporate systems. But users are not universally stupid and they do not respond well to the imposition of security measures that create obstacles to doing their jobs and strike them as doing almost nothing to protect their IT-based work and the IT-dependent organisations for which they do it.
Ask most users and they will tell you that managing their passwords and PINs comes high on their IT drag list. Press a little harder and they will probably admit to sharing them, writing them down or storing them on their phone. I know of a senior executive at a merchant bank who had 17 different work-related passwords. The discovered fact that he was storing the latest version of each one in a spreadsheet almost cost him his job. Dumb user? I think not.
Corporate governance? What governance?
Governance, risk management and regulatory compliance (GRC) has in the past few years become an important topic on the agendas of many corporate boards. In South Africa, the most influential guidance concerning GRC is The King Code of Governance, the latest version of which is often referred to as King III. As of June 2010, all companies listed on the Johannesburg Stock Exchange must comply with the code.
Amongst many other things, King III requires board members to take overall responsibility for IT governance. Directors must ensure that prudent and reasonable steps have been taken to protect intellectual property, company and client information. Surely the question here is this: can CPPs be regarded as prudent and reasonable steps to safeguard these assets?
Back in 1988, George Tenet, the Director of the CIA, issued this chilling warning about the security of digital systems: “We have built our future upon a capability that we have not learned how to protect. We have ignored the need to build trust into our systems. Simply hoping that someday we can add the needed security before it is too late is not a strategy.”
A quarter of a century later, not much has changed and organisations cannot secure what they cannot control. In terms of identity management, the use of cards, PINs and passwords undermines every initiative to reinforce security within digital systems and the multitude of business processes that are dependent on them.
In terms of developing a strategy for managing identity in the workplace, it is absolutely essential to base it on accurate authentication and then build from there. Simply hoping that nobody will ever again abuse someone else’s card, PIN or password is not a strategy at all.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version