Knock, Knock, Who’s There?

*Knock, Knock, Who’s There?*
**By Scott Kersnar**

ScottK***When word got out in March that FreeCreditReport.com coughed up information on Attorney General Eric Holder and other celebrities, worries once again shot up about hackers on the Internet, even though these incidents did not involve hacking per se.

****The security problem with Internet access to free credit reports, says Garret Grajek, CTO for Irvine, CA-based SecureAuth, is that answers to many of the security questions “can be found on Web pages” or even guessed. He said people too often simplify the problem of having multiple IDs and passwords “by using a few of them for everything.”

****Whenever stories about security breaches get headline coverage, the general outcry is for foolproof security. S0 suppose the CFPB and other regulators decree that the standard of protection for online transactions in financial services be that security become absolutely foolproof? In today’s compliance-driven world, no one can call such a scenario far-fetched. The problem that always lingers is how to comply with stricter standards without slowing internet transactions to a crawl.

****If you go to Google, you will find the strongest user authentication described as: “username/password or PIN code + PKI smart card + biometric characteristic checking + bilateral challenge response procedure based on PKI x.509 digital certificate and asymmetrical cryptographic techniques.”

****Wow. To a non-expert like me, that certainly sounds formidable. So let’s say this level of security is needed for transmitting sensitive information in patient files within and between healthcare systems. But it sounds like overkill as the security needed, for example, to protect e-signing of disclosures in a real estate transaction. How do you vary the security measures required to fit different needs?

****“Our whole message is that this is a solvable problem, “said Grajek. “But the solution can’t rely on ID and password only.” He said a key attribute of a stronger system is that it allows bilateral authentication “that insures that the user gives them a certificate that is not phishable by attackers.” At the same time, he said, the system ”must be malleable enough to cover all the different types of authentication.” SecureAuth has patented a solution enabling authentication engines to have that kind of malleability.

****The SecureAuth IdP system provides identity protection combining SSO and single, two and three-factor authentication in one platform for cloud and Web.

****When users log on to a user like Credit Interlink, for example, they are authenticated by their username and password, and a four-digit PIN is issued via a phone call or other message. A certificate is stored on the machine for verifying identity and authorizing access.

****When security is being increased, a major objective always is to minimize user inconvenience. Credit Interlink commended SecureAuth for providing two-factor authentication that stores the certificate locally on the machine so users do not need to enter a PIN each time they log on.

****At this writing, said Grajeck, x.509 certificates have never been hacked. That doesn’t mean they never will. Being a leading-edge security provider means never relying on any one measure.

Since 1996, when he wrote “NetSuccess: How Real Estate Agents Use the Internet,” Scott Kersnar has been chronicling the development of technology in real estate finance. He is a past editor of Mortgage Technology magazine.