1. The answer cannot be easily guessed or researched [Safe]
2. The answer doesn’t change over time [Stable]
3. The answer is memorable [Recall-ability]
4. The answer is definitive or simple [Simplicity]

Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.

Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).

Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.

And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.

Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.

Tags: Identity Proofing, Knowledge-Based Authentication, OAAM, OIM, Oracle Identity Management, Oracle Identity Management 11g, Password Management, Password Recovery Techniques, Security Questions, Service-Oriented Security

Their solution was built around SmartSoft’s SRM (Smart Risk Manager) Fraud Management System and Oracle Adaptive Access Manager, our solution in the area of strong authentication and proactive, real-time fraud prevention. SmartSofts’ expertise in EMV and payment card systems means that they understand credit card fraud at a deep level. This understanding is the basis for the fraud controls that SRM introduces at the merchant and issuer sides, detecting fraud in real-time and taking just-in-time precautions and actions. The bank has been using SRM for over 2 years to secure their credit and debit card operations.

The Challenge

The bank wanted to bring the same level of fraud management that they had achieved with their credit and debit card operations to their internet banking channel. This would require understanding the mechanisms of internet banking fraud, enable comprehensive and automated tracking of online transactions, and use this to identify instances of frauds in real time. The bank also wanted to make sure that they fully complied with international and domestic regulations for internet banking.

The Solution

In order to do this, the bank worked with SmartSoft and Oracle to add OAAM Adaptive Risk Manager (ARM) into their fraud controls system. ARM is OAAM’s back-end, proactive real-time fraud detection product, providing a behind-the-scenes comprehensive anti-fraud software solution. ARM provides a strong second and third factor of security by verifying a host of factors used to confirm identity – from device characteristics (the computer and mobile device used to login) to a user’s location and online behavioral profiles. Adaptive Risk Manager can also trigger numerous actions based on its analysis, such as challenging or blocking the user.

For the deployment, the project team conducted a broad analysis of requirements in terms of internet banking fraud rules, and configured more than 50 OOTB rules in OAAM’s rule engine. They also developed an advanced scoring mechanism for real-time analysis of each transaction’s fraud probability, aimed at achieving a detection rate of nearly 99% of all fraud attempts.

An information channel was defined between OAAM and SRM, whereby the two systems can enrich each others decision-making data. For interactions originating in the internet banking channel, OAAM can calculate risk levels and notify SRM about high risk transactions. Conversely, SRM can send fraud data for risky transactions it encounters to OAAM for use in its behavioral analysis. This integration between the two systems makes the fraud analysis richer and more reliable.

On top of this, the bank’s fraud analysts are using existing reporting capabilities and Oracle BI Publisher for deep down reporting and trend analysis to identify zero-day fraud patterns. Case management also enabled the organization to take care of risky activities and provide flexible service to end-users in real time.

The Results

The bank deployed OAAM in just three months, providing the bank’s fraud analysts with comprehensive visibility and monitoring capabilities for internet banking transactions. With the deployment in production, the bank was able to achieve a previously unmatched level of security for internet banking and fully ensure Şekerbank’s compliance with international and domestic regulations. They were also able to realize a decrease in operational costs for surveying internet banking transactions of ~70%, as now only 2% of all transactions require manual control following a system alert.

It’s always good when you come across a success story like this one, and when especially when the project teams get the recognition they so richly deserve (but seldom get). Kudos to them on the success of the project and the award.

Tags: Adaptive Risk Manager, EIC10, EIC2010, European Identity Conference, Fraud Prevention, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Risk Management

In a nutshell, here is what happened as I understand it: A hacker named Hacker Croll (who has been a pain in Twitter’s behind for a while now) was able to gain access to the Gmail accounts of various twitter employees, including founder Evan Williams. He was then able to use the regular password-recovery techniques that rely on email-based mechanisms to gain access to other services being used like Paypal, GoDaddy, Amazon and Apple. But most notably, he had access to the Google Docs service that the Twitter folks were using extensively to store sensitive corporate documents. This landed Hacker Croll a goldmine (that has been shared with TechCrunch) of documents, including “financial projections, product plans and notes from executive strategy meetings”. Twitter has a lot to deal with here. But this is an important IdM and Cloud Computing related cautionary tale for all of us. And the takeaways, while obvious, bear repeating.

This episode underscores the fact that password recovery techniques that rely on email delivery of passwords or password-reset links are highly insecure. Secret question based mechanisms (aka Static Knowledge-Based Authentication) are not that much more reliable either (anyone and everyone can find out the name of any celebrity’s first car, dog, mother’s maiden name, etc). Services that deal with sensitive information NEED to rely on Dynamic Knowledge-Based Authentication (where the data source for the authentication questions could be the content stored in the service itself, which only the users should have knowledge of) or Out-Of-Band Identity Proofing (something Oracle Adaptive Access Manager can help with).

As more and more companies rely on the cloud, the security of cloud services (or lack thereof) needs to be evaluated very carefully, as will corporate security policies on access to those services. Strong passwords need to exist not only on the service access, but also on the accounts that have access to the service. Ideally, the service provider should support Multi-Factor Authentication and federated identity and authentication for higher identity assurance by corporate clients. And encryption of sensitive documents and data is a must. Cloud service providers need to understand the implications of entering the enterprise market, and that includes deploying enterprise-grade identity management and security technology.

Unfortunately this event will sow doubts in the minds of those that are considering using cloud-based services. Which is why we have to work hard to define the standards cloud services need to live up to. As Michael Arrington so bluntly put it:

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.

That is quite plainly an unacceptable state of affairs.

Tags: Cloud Computing, OAAM, Oracle_IDM, Password Management, Password Recovery Techniques