AS the holiday season approaches, businesses and individuals face unique cybersecurity challenges. Retailers brace for their busiest time of the year while other companies operate with reduced staff. This situation, combined with an increased surge in online shopping and holiday distractions, creates a perfect storm for cybercriminals.
In a recent interview with The Manila Times, subject matter expert Shaibal Kumar Saha, digital trust leader, IBM Security, APAC, offered insights on critical security challenges during the holidays, AI-infused, risk-based authentication and digital credentials, and the role of AI, passkeys and biometric identification in safeguarding consumer digital identities, among others.
The Manila Times (TMT): What are some of the most critical security challenges during the holiday season? Why is the challenge on digital identities of particular importance, especially during the holiday season?
Shaibal Kumar Saha (Saha): When you think about the holiday season, you think about the festivities. Everybody’s enjoying their time. The other thing associated with the holidays is buying gifts and stuff. There are a lot of flash sales and online transactions, and all of these basically create a playground for the cybercriminals who are just waiting to bait users into clicking links, scanning QR codes, doing social engineering by creating a sense of urgency for the users to act at once.
These things happen primarily for two main reasons. One reason, obviously, is to extort money from you, from your credit card, from your bank or account. The second reason is to steal the user details or the user credentials. Meaning, your name, your address and any identifiers, like, let’s say, your photo ID which is part of your profile to get to your password. Cybercriminals can use this information in subsequent heists when they attack another service. These are the challenges we see with digital identity.
TMT: What is AI-infused, risk-based authentication and digital credentials? As trust platforms, how can AI, passkeys and biometric identification promote and ensure digital protection?
Saha: I would like to highlight first that IBM publishes pertinent research reports every year; the first one is called the cost of data breach and the second one is on threat intelligence. Both reports show that the one reason behind online compromises is credential breaches.
Now, if there is a compromise at one particular place and the cybercriminals stole your credentials from that particular breach, they would likely use them in another service and take over your account. We would like to prevent such breaches from happening, and AI obviously comes in really handy for us.
You mentioned risk-based authentication. It is an advanced authentication mechanism which does not just validate the username and password of the user, but it also collects in real time different other contexts which are associated with the user and his behavior.
So it looks at all these different contexts and, in real time, does a risk score rating. By doing the risk scoring, it is able to assess if a particular transaction on the login attempt is high risk or low risk right now. Obviously, AI plays an important role here because AI is able to analyze large amount of data and detect the anomaly quickly, so we are also able to respond to these anomalies just as quickly and are able to calculate that risk, so that we can decide on the fly should we allow a user or should not allow a user.
TMT: In the implementation of the risk-based paradigm, is the user prompted by AI, for instance, that there’s a threat going on with his account? Or is it a seamless AI-driven process?
Saha: Most of the things we do using AI and risk-based authentication are all behind the scenes. So the user does not see any change in the usual way he uses his account. He will still enter his username and password. AI will be doing all this particular calculation behind the scenes and then determine should it allow the user or not.
One other thing is that risk-based authentication works hand in hand with multifactor authentication (MFA), like the alert all of us get SMS OTP, for example. When risk-based authentication is on, the system, depending on the risk, can now decide should it challenge you for an MFA, a higher-grade MFA or should I not challenge you at all? Should I block the transaction? That’s what the risk-based authentication would do.
TMT: Since the authentication works in the background, how can users ensure that they are protected from digital threats during the holiday season?
Saha: There are a few things users should keep in mind. It is important to be vigilant about what he’s going to click because anything that we click could potentially lead us into a trap. And that trap would be for us to give usernames, passwords, or, in worst-case scenarios, a malware is being downloaded on your device. It is extremely important that we constantly keep our vigilance on what we do online.
The second thing comes from an organization’s perspective. Companies provide many products and services to consumers. I recommend that instead of having the authentication fragmented across various services, they should consolidate them all into a single platform and provide capabilities like risk-based authentication, and passwordless authentications using a new standard called passkeys. Passkeys are a new development which came around last year. It’s a new standard, which allows a user to actually get authenticated without a password. Now, if we don’t have a password, then there is no password compromise.
TMT: So in these areas of risk-based authentication and passkeys, what is IBM doing in products or services, for example?
Saha: Let me say first that IBM has been a long-term player in the identity space. We have a legacy of over two decades, and today we provide many capabilities. Related to risk-based authentication and various others under the brand name called Verify, which is our identity and access management solution set. And inside that we are providing capabilities like risk-based authentication. IBM is in a unique situation where we provide this as a SaaS service, and we also provide it as an on-premise service.
Secondly, on this platform, we provide different kinds of multifactor authentication. Multifactor authentication, what we typically are used to, are the SMS OTP. What we at IBM are doing is we provide innovative multifactor authentication mechanisms which are easy to use. For example, we’re using a soft token using biometrics. We support passkeys across our platform and through which organizations can integrate all their applications and use passkeys across mobile applications.
Be the first to comment