Ian L. Paterson is the CEO of Plurilock, a Victoria-based cybersecurity firm, and is a member of the Council of Canadian Innovators.
I spent one of my holiday afternoons this year at a bank, with two tellers and a manager, having my debit card reissued and access to my accounts restored. All of this because my top Canadian bank lacked tools that are commonplace today in video games.
It was a late morning in December when I made a simple mistake, adding my bank details to a budgeting app. In today’s cloud-centric world, logging in from somewhere or something new shouldn’t be an issue – but in this case it was. An automated process froze my account. When I called to have it unfrozen, I was told to visit town, find a branch office and confirm my identity in person. Oh, and to do this during holiday hours.
On one level, I understand why my bank locked me out. Simply put, they’ll lose customers if they aren’t perceived as secure. A recent PwC study showed that 85 per cent of consumers won’t do business with a company whose security practices they doubt. From the bank’s perspective, a malicious attacker may have taken my login details, using them to empty out my accounts and, at the very least, interrupt my growing Starbuck’s habit.
But I’ll be blunt: Securely authenticating users’ digital identities – without trips to the bank – is a solved problem. Current best practices involve the use of “multifactor authentication,” which combines elements of something you know (such as a password), something you are (such as biometrics or your behavior) and something you have (such as a debit card). When Google mandated two-factor authentication across the company, the account-hijacking rate was reportedly reduced to zero.
What my bank did wasn’t a best practice; they simply lacked the modern tools to properly protect my account. And because they didn’t have the infrastructure to step up to a second form of authentication, their only option was to “go nuclear” by blocking me and issuing a new card.
They should know better. Most standards bodies today offer guidance on exactly how to remain secure. The National Institute of Standards and Technology (NIST), a global leader in this area, issues guidelines on digital identity. These recommend two-factor authentication rather than reliance on SMS messages, complicated password rules and security questions as tools for protection.
Complex password rules, security questions and premature block-outs impose burdens that consumers today, each with dozens of accounts, struggle to meet. Yet most companies employ exactly these strategies. Worse, these strategies are not particularly secure, as NIST understands. That’s is why all of this user frustration hasn’t helped to reduce skyrocketing breach rates.
When consumers face frequent password changes, draconian password rules and lockouts for forgotten passwords, they simply write their passwords down or pick short, familiar words they’re sure they’ll remember. This makes password theft easy, particularly when automated hacking tools can guess even a completely random 10-letter password in a matter of hours.
This isn’t idle speculation on my part; I speak from experience. I’m the chief executive of Plurilock Security Solutions, a cybersecurity company that’s served the U.S. Army, power plants and hedge funds – and that has industry veterans such as the former director of the U.S. National Security Agency on its board. We use human behavior as a transparent form of authentication, preventing damage from phishing and other online attacks invisibly.
I began by mentioning video games because game companies are ahead of the curve here. Most games currently offer better, more reasonable security measures than my bank does as a matter of course. Massively popular Fortnite is a good example – it’s free to play, yet offers two-factor authentication to everyone. Why doesn’t my bank provide the same or better?
I’m not the only one to recognize that banks need to complete their digital transformation. Entire companies, such as Vancouver’s FI.SPAN have sprung up to reimagine business banking.
Strong authentication that solves the problems I’ve outlined not only exists, but it is eminently affordable. So, in honor of my unexpected holiday trip to a bank office to present an old-fashioned ID card that itself is easily forged, I’d like to make a modest proposal.
For too long, companies have responded to consumer demand for real security with inconveniences that merely imply it. This isn’t a good solution. In 2019, let’s agree to move beyond security theatre and to implement tried-and-true solutions that are both effective and already on the market – solutions that provide real security without matching levels of inconvenience.
At the very least, I and my bank teller will thank you for it.