Steve Vinsik was recently in Cartagena, Columbia, presenting protecting identities concept on secure remote banking at the 11th Strategic Congress on Technology and Financial Marketing Conference known as CL@B.
[Sowmya Murthy] So Steve what was this audience interested in talking about?
[Steve Vinsik] The conversation was about leveraging a method for high net worth clients to securely conduct financial transactions across the Internet. The challenge is about determining what is “secure enough.” The most recent Unisys Security Index identified that bank card fraud and unauthorized access to personal information were two of the top security concerns identified in our global survey. It’s easy to understand why that is the case given all the news recently on stolen identities.
[Sowmya Murthy] So, what did you share on protecting identity online?
[Steve Vinsik] The anatomy of a financial transaction is very straightforward. Log in to the online bank, click a few links, enter an amount and transfer funds. Under the covers there is quite a bit of activity occurring to make sure that transaction is secure.
[Sowmya Murthy] How so? Give me an example.
[Steve Vinsik] For example, the web session is encrypted because you can see the little lock box icon and the web address begins with https. The financial institution takes my encrypted data and conducts the transaction in its data center where they have safe guards in place to secure the data.
[Sowmya Murthy] What happens once a client tries to make a transaction?
[Steve Vinsik] Now imagine this made up scenario. The bank knows it’s me when I try to transfer $2M from my bank of the Internet account to my Swiss account because I said it was me when I logged in with my username and password. You know…the same password that was compromised two weeks earlier when my personal information was stolen from a gaming network.
[Sowmya Murthy] Hold on Steve. Who these days actually uses the same password?
[Steve Vinsik] Now I knew you were going to say that you shouldn’t use the same password for both, and in this made-up scenario, I didn’t! Hackers collected my username and password, along with my address, credit card information, and the answers to those cute little questions that web sites ask to recover a password.
[Sowmya Murthy] How is that even possible to get our information so easily?
[Steve Vinsik] A little social engineering will do the trick! It uses piece of information to manipulate a person into giving up additional personal information not already known. Just research Kevin Mitnick and you’ll find out all you will ever want.
[Sowmya Murthy] Ok, your point is that passwords are not enough?
[Steve Vinsik] Yes. These days, passwords are just not enough. We need to use something better to prove that it is really me conducting that transaction and not the Russian Mafia, a hacking collective, or my sister – they all have their own ways in finding out my passwords. I need to prove that it is me. It’s something I’ve been preaching about for years for use on corporate networks, and it is something we all know we should be doing but the technology wasn’t quite ready for it. Until recently…
[Sowmya Murthy] So, what did you share as the concepts at this Columbian conference?
[Steve Vinsik] Use something
Look, passwords alone may be good enough to pay my phone bill online. If I’m going to transfer large amounts of funds between different accounts, I’m going to want to use all four methods to authenticate it is really me conducting that transaction. How many would you use?