The emergence of Web 3.0 came at a time when the world was changing fundamentally. At a time when people were told to stay at home and limit personal contact, life had to go on. Business had to continue as usual, contracts had to be concluded and money transferred. Web 3.0 became an opportunity for companies to tap into the digital future.
Today, everything can and is done digitally, and while the benefits are clear, new risks and challenges have emerged. With the transition to Web 3.0, the attack surface has also shifted to the largely uncontrolled customer journey. As a result, our information, money and identity are more vulnerable than ever before.
Ten years ago it was a big deal to buy something online for 20 euros, but these days we make bulk purchases online without even batting an eyelid. Our convenience has increased tremendously over the years and will continue to grow. Initially we may have only made small purchases, but today high-value transactions such as loans, money transfers and insurance claims are processed digitally, meaning greater security precautions also need to be taken.
At the consumer level, platforms such as Apple Pay and Amazon Pay have emerged to provide a sense of trust and security when making online purchases. We feel comfortable when we can pay with Apple Pay. However, when we are asked to enter our personal credit card information, many of us stop and consider whether the website or provider is reputable. Such a system does not yet exist for high-value business transactions. Furthermore, there is no system to ensure that a company is really what it claims to be. Or whether a connection is valid. Or whether we sign a real loan. The transition to a digitalized world happened so quickly that no one thought about the fact that we need to make sure that the process is legitimate. Without face-to-face interaction, how are we supposed to know what is legitimate?
Secure the customer journey
There's a reason why phishing attacks have increased by 2021% since 61 and why bots are more prevalent today than they were five years ago: attackers have recognized an opportunity and taken advantage of it. As an industry, we are at an impasse because our solutions have focused on protecting endpoints, but now we need to secure entire digital processes and the customer journey. We must consistently prove our identity. Solutions such as multi-factor authentication (MFA), biometrics and token-based authentication now do some of this work, but unfortunately they are not enough. Almost every week we hear about sophisticated BEC scammers bypassing MFA using tactics like adversary-in-the-middle (AitM) phishing attacks.
Companies should examine their customer journeys and identify critical points. In this way, you can identify areas throughout the customer journey that attackers could exploit. Most companies have identified at least one of these sticking points and taken protective measures. For example, before we can view the final invoice, we receive a text with a six-digit code that we must enter before continuing the process. These are the right steps, but we must not forget that a digital transaction is not just a one-step process. We are moving towards a model that requires continuous authentication and identification during these transactions. This model will look slightly different for each company, but ultimately the model will include the following five steps.
Verify identities
An unknown identity is converted into a known identity. This should be done at the beginning of every process, before a transaction takes place. Each party involved should prove their identity, whether through biometric data or an ID card.
Once identity verification is complete, individual credentials should be distributed to access the digital property – whether it is a website, an app, an electronic document or a virtual environment.
Customers and consumers should be guided through multi-step and highly secure transactions through an interactive, secure virtual environment with various authentication methods.
To conduct and complete the transaction itself, the process must provide strong identity security, be equipped with features such as digital signature encryption, and adhere to the strictest security standards and regulations.
Many contracts must be stored and retained as unique original copies throughout their life cycle in accordance with laws such as ESIGN, UETA and UCC Article 9-105. To ensure the integrity of the document or transaction, you must maintain the chain of custody and capture the audit trail.
As the attack surface shifts, security must be integrated throughout the entire process and workflows, seamlessly so as not to disrupt the existing digital experience. Looking ahead to the new year, it is expected that this issue will be a top priority for both companies and security service providers, and that proving identity and ensuring trust in digital processes will become a crucial success factor. (Sameer Hajarnis, CPO at OneSpan)
More at OneSpan.com
About OneSpan
OneSpan helps organizations digitally transform by enabling secure, compliant and user-friendly customer agreements and transactions. Organizations that require the highest level of security - from the integrity of end users to the authenticity of transaction data in agreements - choose OneSpan's services for secure, yet user-friendly business processes with their partner companies and customers. OneSpan is trusted by global blue-chip companies, including more than 60% of the world's 100 largest banks. The company processes millions of digital agreements and billions of transactions annually in over 100 countries.