Barbadians are being put on notice to expect an increase in the use of stringent, multi-level authentication measures as financial and other institutions ramp up account security.
Director of Enterprise Security, Fraud and Supplier Risk Management at CIBC FirstCaribbean, Patricia Rowe-Seale said on Wednesday that some firms have already implemented this risk-based authentication, and she believes many more will go in that direction since it has been proven to be more secure than what currently obtains.
Risk-based authentication, also known as adaptive authentication, is a type of multi-factor authentication that is configured based on a user’s risk profile and behaviour patterns. Some popular online services and social media sites already utilise this security measure.
“There is a lot of research going on and some of it is already rolling out in some locations, where we are moving to a sort of passwordless scenario for authentication – that is really looking at the behaviour of analytics, the behavioural activities of individuals, to determine whether or not a transaction or particular attempt is likely to be that particular individual,” said Rowe-Seale as she took part in a panel discussion on Managing Cybersecurity Risk in the Financial Sector during the virtual Domestic Financial Institution Conference.
“I think in time we will see most of the institutions around us moving to adaptive authentication. So, people would be authenticated based on behaviours they would have exhibited in the past.
“It is moving to that and that tends to be a little bit more secure than passwords. It would also eliminate the need for persons to remember these very complex and long passwords. This is the other revolution, really, in authentication,” she added.
Providing an example of how this type of authentication would work, Rowe-Seale said a message or code would be sent to an individual’s predetermined phone number or email address asking them to confirm if they were making an attempt to log into their account.
Vice President of the Barbados Chapter of the Information Systems Security Association (ISSA), Jason Downey, has advised residents to avoid choosing passwords that include information regarding their children, pets and special dates in their life, and to consider using more multi-factor authentication.
“You need to avoid, first of all, using the same password for everything. A way to avoid that is that any time websites or an app say they can use multi-factor authentication, that is something you should use. It is a username, a password, and something else. That something else can be biometric, thumbprint, face [recognition], or it could be a code that is sent to a device or your cell phone, by SMS or email.
“That secures things better because if somebody gets hold of your password they might know your username and password but can’t get the third bit of information. If you secure things that way, it means then that your passwords can be a little bit less complex or change a lot less often,” explained Downey.
Chief Technology Officer at the City of Bridgetown Co-operative Credit Union, Ryan Greaves, stressed that password security and cyber security went beyond the protection of credit and debit cards.
“Cyber security is a very broad avenue, not just related to card fraud in this scenario. We also have to look at things like how people actually use social media,” he said.
Pointing out that the majority of cyber breaches did not happen by “someone sitting a computer and typing fast on a keyboard and hacking into a computer”, Greaves said: “People understand human behaviour and use that behaviour to get your information.”
“A lot of people love social media. So, for example, if I go on a person’s Facebook page and see what they like and don’t like, the names of their children and birth dates, the majority of times those are the things people use to create passwords. So, by you giving that information, hackers and those types of people are able to extrapolate what they think this particular person’s password will be,” he warned.
“So, from the individual level, we have to be careful of the information we are putting out into the world because that information can come back to bite you in the long run.”