Account security

Account security in a physical to digital world: Choosing a verification process that's right for your business


  • nabeel_saeed_headshot.jpg
    Nabeel Saeed
  • Oct 29, 2020
TLDR

The pros and cons to each account verification process and deciding which is right for your business.

Adjust text size

MGM Resorts.

Walgreens.

J. Crew.

Zoom.

What do all these companies have in common?

They all have dealt with a data breach in the past nine months, exposing customer information and putting business records at risk.

While company data breaches are pretty common—2019 alone saw 1,473 individual breaches exposing nearly 165 million sensitive records— they also are an avoidable risk with regular updates to your business’s account security like utilizing two-factor authentication and having customers consistently update their passwords.

Read on to learn the three major types of online fraud, the different platform security options to combat these risks, and the benefits and the drawbacks of each channel.

Breaking down online fraud types

The three different types of fraud factors map to four stages of the customer account security journey: sign up, log in, transactions, and password reset. At each of those touchpoints, there are opportunities to protect against online fraud, including new account fraud, account takeovers, and payment fraud.

During a data breach, those are the three fraud types we typically see:

  1. Sign up/new account fraud: Businesses that offer new user/sign up incentives (oftentimes with a freemium structure) are susceptible to phishing bots that create thousands of these accounts to take advantage of new member discounts/perks.

  2. Account takeover fraud: Fraudsters gain access to a user’s credentials to log in to a user account, and then change the password to lock out the original user.

  3. Payment fraud: Hackers use illegally obtained customer credit card information from places like gas station terminals, grocery store checkouts, routine data breaches to try to make purchases. While customers are often covered for this, businesses are not guaranteed the same security.

In considering which digital security features to use for your own business, it’s important to evaluate the strengths and weaknesses of each for keeping your business and customer data safe.

Evaluating digital security methods

Email verification

Over the last several decades, emails have become almost as universal to a person’s identity as their fingerprints. Given this, it’s no wonder the vast majority of online accounts are identified by user email addresses.

The benefits here are obvious. Emails are widely available, people rarely forget them, and they are often the best way to contact the account holder. However, it’s almost impossible to determine if an email is fraudulent or not.

Further, verifying validity is even harder with just one step of account security. For instance, if you send an email with a link to reset a password to a compromised email address, sending this communication to this account becomes irrelevant and potentially risky.

  • Pros: Universally used, easy to remember, low cost
  • Cons: Impossible to verify, easy to hack

Phone number and SMS verification

Similar to emails, phone numbers are an attractive option for quick and easy identity verification. They, too, are universally found, easy to remember, and a simple way to get in direct contact with the user.

Unlike email, where it is relatively easy to create thousands of bogus accounts, it’s really difficult, time-consuming, and expensive to fake an individual’s phone number.

Phone numbers can also help businesses confirm a great deal of personal information about a user to verify their identity, such as whether the number is a landline or on mobile, the country of origin, and which telecommunications carrier it’s tied to.

Many companies use a verification technique known as two-factor authentication (2FA) or phone number verification. Customers sign up, enter a phone number then the business sends them a one-time code on that number, which they then enter into your app. This process is currently the most popular means of adding significant extra security to your user verification process.

While phone numbers are an excellent verification feature given the popularity of text messaging, consumers are increasingly wary of sharing their number thanks to the rise of robocalls and telemarketing. Also, like email, there is still a risk for fraudulent numbers and SMS messages.

Best practices suggest confirming a working number belongs to the account holder by sending a one-time code by SMS and asking the recipient to enter that code back into the application. However, because SMS is so easy and straightforward, in many countries the rules for SMS security regulations have changed to protect online transactions.

In Europe, for example, SMS codes aren’t considered secure because they can be intercepted or leaked, and users will receive a code and not know what they’re authorizing but proceed regardless. So these new requirements now require merchants to share transaction details over text to confirm that the security code being sent is, in fact, related to the purchase being made by the authenticated user.

This method protects both the customer and the company because it uses the specifics of the push notifications to ensure the payment is legitimate. While this isn’t a requirement in the United States, it’s a good security measure to protect yourself and your customers against payment fraud.

Other drawbacks of text authentication include cost (international texting may be exponentially more expensive than sending messages locally) and that while a vast majority of your users will have access to a text-enabled phone, some may only have voice-only phone numbers like landlines or other restrictions that prevent SMS usage.

  • Pros: Universally used, convenient, easy to implement, no app necessary 
  • Cons: SIM swapping/SIM hacking, lost/stolen devices, landline vs. mobile communication, cost

App verification

While SMS is one of the quickest ways to utilize 2FA, the best user experience solution is found within app-based 2FA with push authentication.

Implementing an authenticator app (such as Authy) which uses accepted security standards to generate a one-time passcode or a push notification on the device itself, is also one of the more secure options available.

You can also use a solution to add verification services to an existing app, such as Verify Push, which embeds a comprehensive verification process throughout the user journey without the risks, hassles, or costs of sending one-time codes on other channels. This solution allows customers to add a low-friction, secure, cost-effective, “push verification” factor into their existing application.

One of the best methods to securely verify your users is using a software-based approach that doesn't rely on SMS alone. With a potentially global customer base, you want to make sure that whatever platform they are logging into (phone, computer, tablet, etc.) is syncing together. Through this, businesses have a higher degree of visibility, security, and a much better user experience using a software-based solution.

These app-based solutions aren’t as widely used and can be more costly than basic security authentication, but the payoff is knowing your customer’s data and your business records are safe with the latest secure technology.

  • Pros: Best user experience, most secure, not tied to a telecarrier
  • Cons: Price, not widely used

Choosing carefully

Companies, both large (like the ones mentioned at the start) and small, need to not only implement but consistently update their online security to stay ahead of fraud as we continue to migrate from a physical to a more digital world. And when data breaches happen, acknowledging how your company is dealing with the breach as well as steps for customers to take, help companies build back that loss of consumer trust.

In deciding which type of verification to use, consider your customer, their location, and how much time/effort will be required for them to make a purchase and/or sign into your platform. While you want your platform to be secure to avoid abuse around fake sign-ups/fraudulent activity, you need to make the process seamless enough to keep your real customers coming back.

Learn more about best practices for verifying users beyond SMS and email

I want to see more about: 
Editions
  • Editions
  • Industry
  • Product
  • Region
  • Solution
  • Use case
 ‐ 
Communication for good | Spring 2021
  • Communication for good | Spring 2021
  • COVID-19 and the new normal | Winter 2020
  • Digital trust | Summer 2021
  • Pre-SIGNAL special | Fall 2021
  • Retail in 2021 | Summer 2021
Let's go
nabeel_saeed_headshot.jpg

Nabeel Saeed

Nabeel has worked in multiple application and network security roles over the last 5 years, and is a speaker at the Bay Area Cyber-Security Meetup. His interests include identity and authentication and he is currently involved in helping fintech companies with PSD2 compliance. He holds a Bachelors in Economics from UC San Diego, California.