Beyond SSO: A Case for Complete CIAM as Cyber Theft Evolves

March 16, 2016

Cyber thieves are getting pretty creative these days, especially when it comes to stealing data from customers' mobile devices. Their goal used to be to acquire credit card information or personal identifiable information (PII). Then they moved on to rewards accounts. Now, savvy cybercriminals are setting their sights on Uber, Paypal and Netflix accounts. According to a recent CNBC article, these so-called "deep web" accounts have become more valuable to thieves for the price they can fetch.


According to a Trend Micro survey, stolen Uber information sells for $3.78 per account in underground marketplaces. A Paypal account with a guaranteed $500 balance sells for an average $6.43. Stolen PII only goes for $1.00 to $3.30 on average.


So why's an Uber account so valuable? Because criminal buyers can use the information to build a bigger picture of the victim for identity theft. They can also use it to charge phantom rides, which involves setting up a fake account and charging nonexistent rides to stolen accounts.


Sure enough, the Twittersphere is full of phantom ride complaints. Account holders claim they were charged for rides they didn't take, and the rides are often allegedly taken in another part of the globe. According to the article, Uber is now testing a version of two-factor authentication to deter these criminals. But it serves as a cautionary tale for any company that services customers via mobile apps, or even through its website.


Improving Security Without Sacrificing the Customer Experience

To combat the latest threats, enterprises are moving to a more comprehensive customer identity and access management (CIAM) approach. Single sign-on (SSO) is great, but SSO alone isn't enough protection in the world today. Here's a strong recommendation that came out in the 2015 Verizon Data Breach Investigation Report.


"While we have tried to refrain from best practices advice this year, there's no getting around the fact that credentials are literally the keys to the digital kingdom. If possible, improve them with a second factor such as a hardware token or mobile app, and monitor login activity with an eye out for unusual patterns."


Multi-factor authentication (MFA) and SSO work together to deliver an optimal, secure user experience. Adaptive authentication offers a way to support data points, such as IP addresses, geolocation, distance traveled or behavior patterns, to assign a risk score that determines if and when the customer will be presented with a step-up authentication request. For example, think of an Uber customer who requested a car 20 minutes ago in New York and is now trying to get a car in Germany. The previous context of their behavior allows you to create a risk score. Using that risk score you can selectively apply a step-up authentication method, such as biometrics or tokens or other authentication methods to the transaction.


As customers move from a company's website to its mobile apps, they expect the business to engage across all of their channels in the same secure, seamless way. This requires an integrated infrastructure that comes from a complete, standards-based CIAM solution that includes SSO, scalable access, centralized control and a unified view of the customer. The right solution should be able to extend any existing IAM infrastructure to address specific requirements for securing customer access, and it should improve the customer experience in the process.


The Academy of Art University in San Francisco knows the value of complete CIAM solution. The country's largest accredited private art and design school wanted to give its 18,000 students, 3,000 employees and 70,000 alumni secure access to its offerings anytime, anywhere on any device throughout its 21 colleges and 45 buildings. Adding to the challenge, students must be provisioned and re-provisioned to many applications during their time at the school. Students, faculty and employees each need various access to on-premises and cloud-based applications, as well as line-of-business applications from within and often across colleges--they all expect mobile access to these apps as well. Ping provides the university with a customer and workforce identity solution that encompasses SSO, mobile identity security and automated provisioning.


Customers will continue to demand more and better apps to make their lives easier, and cyber thieves will keep finding ways to hack them. To make sure the customer wins, businesses need to take a complete CIAM approach that seamlessly integrates every channel and creates an optimal, secure customer experience.