Gone are the days when a masked robber would walk into a bank, wave a gun in the air and declare, “This is a stick up!” Why would any criminal run the risk of getting caught in the act when there are now opportunities to profit from all types of fraud without even leaving the comforts of home?

Since the advent of the internet, businesses have been struggling to verify the identities of users as a means of preventing fraud. As attack vectors widen with the burgeoning of the Internet of Things (IoT), businesses are exposed to new risks that require increasingly advanced authentication methods. Today’s threat actors are using more sophisticated social engineering tactics, credential-stuffing botnets and account takeover tactics to pull off all kinds of attacks. According to the “IBM Security: Future of Identity Report,” identity fraudsters have stolen $112 billion over the past six years — that’s around $35,600 every minute.

In addition, an Experian survey found that fraud has become a growing concern for 72 percent of businesses in the past 12 months. As a result, three-quarters of companies are looking for authentication tools that will help prevent these types of crimes without disrupting the customer experience. That’s a tall order, which is why businesses often forego security to deliver convenience. Advanced authentication methods can help detect malicious activity while minimizing unwanted speed bumps in the online experience.

Read Forrester’s Now Tech Report on Authentication Management

Why First-Generation Solutions Are Failing

To detect bad actors, organizations first need to understand what they are looking for, since there is no one-size-fits-all solution to managing fraud risk. Fraudulent activity is constantly evolving and can include anything from phishing scams to data exfiltration, which makes advanced authentication tools critical to any security operation.

As the Experian report stated, today’s fraudsters are “moving between channels — such as web, call center, mobile, etc. — and new schemes, such as synthetic fraud (where criminals combine real and fake information to create a totally new identity), are constantly evolving.”

According to Jody Paterson, CEO at ERP Maestro, being able to analyze internal controls around access is critical to preventing fraud. Not surprisingly, new schemes present new risks, which is why many existing authentication tools are no longer adequate in detecting fraudulent indicators.

“They go wide, but not deep,” Peterson explained, “so they are not able to go to that granular level.”

The problem with identity deception is that it is highly prevalent in environments where it is possible, which is why enterprises need advanced methods to validate user identities.

“In an era where personal information is no longer private and passwords are commonly reused, stolen or cracked with various tools, the traditional scheme of accessing data and services by username and password has repeatedly shown to be inadequate,” noted the IBM Security report.

Why You Should Invest in Advanced Authentication Alternatives

With advanced authentication tools, security teams can integrate all the right rules across multiple systems without compromising the user experience.

“If you combine broad functionality with a solution that can dig down to the right level and integrate them appropriately … you’ll be able to get the full end-to-end provisioning process in place that does take care of the big picture, but also has the ability to get down to the deeper level to get a complete understanding of what people have access to,” Paterson explained.

Still, most organizations are reluctant to invest in advanced detection and authentication solutions because they don’t want to disrupt the customer experience. The Experian report cited business leaders’ “willingness to accept higher fraud losses from authentication protocols that they concede might be deficient, but do not disrupt the user experience” as evidence of this trend.

As businesses adopt new authentication platforms, they should remain mindful of user preferences. The IBM Security report warned that by mandating that employees adopt advanced authentication mechanisms such as one-time passwords, hardware tokens or biometric authentication when accessing enterprise resources, “businesses can reach a higher level of confidence that they’re working to keep hackers out — although they often risk frustrating their users in the process.”

When It Comes to Preventing Fraud, the Choice Is Yours

Offering users multiple authentication options will help businesses determine which new access management initiatives are most likely to result in widespread adoption. Additionally, taking a risk-based approach to identity and access management (IAM) using authentication tools can help protect against criminal activity because they rely on contextual data and behavioral cues to evaluate attempts to access user accounts.

As technologies and threats evolve, businesses that have a policy in place to measure the progress of the authentication tools they implement will be in a better position to both protect against cybercrimes and deliver a quality user experience.

Read Forrester’s Now Tech Report on Authentication Management

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…