Life would be great if you had an identical twin. You'd have a substitute who could take care of things when you are otherwise occupied.
Can't attend that charity gala? Your twin has you covered.
Those square-dancing lessons that your elderly neighbor has been bugging you about? It's okay, you've got a sub, you'll just owe your twin a favor.
From the outside, the life of identical twins looks pretty sweet, because you always have someone that can fill in for you.
But what if you had an evil twin?
One benefit that most non-twins have is that they look fairly unique and it's hard for others to impersonate them. It's rare enough to come across a convincing doppelganger, but basically impossible to find someone who has similar mannerisms and knows everything about you. Those with an evil twin might not have this luxury.
An evil twin could make your life hell in many different ways, but we're going to run through an example of how they could subvert our identification and authentication processes.
Let's say that you, Generic DestCert Weekly Reader, have an evil twin, Evil DestCert Weekly Reader. While you were asleep, your evil twin crept into your room and stole your license, passport and credit card. They then lined up at the bank, and said to the loan officer, "Hello, I am Generic DestCert Weekly Reader, and I would like to take out a $20,000 loan."
The loan officer checked the documents, which are legitimate. You and your evil twin are exact look-alikes, so everything seemed normal to the loan officer. The loan officer asked your evil twin to fill out the loan application form and sign it. Then they checked the form and your financials. In a few days, the loan was approved, and your evil twin strutted out of the bank holding a sack with big green dollar signs emblazoned on the side.
Life continued on as normal for a while, but eventually you, Generic DestCert Weekly Reader, received an email from your bank informing you that you had a ginormous repayment due on a loan for $20,000, a loan that you knew nothing about.
You called up the bank in a huff, ready with your finest array of expletives to dress down such incompetent banking staff. You felt righteous in your indignation and ready to lay into whichever poor soul answered the phone (Editor’s note: lets be kind to frontline staff!). Unfortunately, the operator was delightful, so you had to hold it in.
"Yes, Generic DestCert Weekly Reader, we did just issue a loan in your name."
"But I didn't apply for any loans..."
"Well, Generic DestCert Weekly Reader, we have the loan application form with your signature on it. And I just spoke to my coworker, she says that you were in here just last month. We probably even have you on video if you want me to check..."
Suddenly, the penny dropped and you realized exactly what must have happened. It was not the first time your evil twin impersonated you.
"%£#&"@%!" you cursed into the receiver, so loud that birds fluttered out of the tree by your dining room window. "Sorry, not you, you're not the %£#&"@%. It must have been my %£#&"@$% evil twin."
A $20,000 problem
So now, Generic DestCert Weekly Reader, you and the bank have a $20,000 problem on both of your hands. A $20,000 loan has just been fraudulently issued in your name. You'll probably go to the authorities and try to get them to sort it out, but let's not focus on the ramifications, and instead investigate what went wrong here.
How do we prevent fraud?
No one wants fraudulent loans taken out in their name, and banks don't want to accidentally issue them either, because they cause a whole lot of trouble on the bank's end as well. Unfortunately, nefarious individuals like the evil twin exist in the world, and they are constantly trying to subvert our systems.
Over the years, banks have put in a bunch of mechanisms to try to limit this kind of fraud. Central to these are the twin processes of identification and authentication.
If you read last week's newsletter, you would have heard us talk about the registration or onboarding process, and how we securely verify new users and enroll them into our systems.
When an enrolled user wishes to use our systems, they need to identify and authenticate themselves to prove that they are the legitimate user who they claim to be. Without identification and authentication, anyone could claim to be any user they want, and the system would be bedlam.
Identification and authentication
Identification is the process of professing or claiming an identity, while authentication is the process of proving that they are the legitimate owner of that identity. They are separate processes, but they often occur at roughly the same time.
You can think of saying "Hi, my name is Generic DestCert Weekly Reader," as identification. Pulling out your ID card, saying "See, it says 'Generic DestCert Weekly Reader'," and showing off your unflattering ID photo could count as authentication. First, you're claiming the identity, then you are proving it with your ID.
How do banks identify and authenticate their customers?
In the case of the bank in our example, they ask all loan applicants for identification documents. The specific requirements can vary from bank to bank, jurisdiction to jurisdiction, but you will often need a few documents that prove who you are.
These documents will generally have two mechanisms that allow you to authenticate yourself to the bank. One is the ID photo—if you look like your picture, it's probably a good indicator that you are in fact the person you are claiming to be. Another is your signature. If you can reproduce a signature that matches the one on your identification documents, then it's also likely that you are the person that you are claiming to be.
However, these aren't foolproof mechanisms. Some people do look alike. Some people can fake signatures. However, in most situations, these mechanisms are often enough to limit fraud.
In our example, the evil twin looked exactly like the ID photo, and they knew they were able to copy their twin's signature. This is obviously a security shortfall, but the reality is that not too many people have evil twins, and this type of fraud isn't so rampant that banks feel the need to implement strict security controls that would be more burdensome to customers.
If these evil twin attacks did start to become rampant, banks could decide to implement further authentication measures. They might ask people to provide their fingerprints or other biometrics. They could also issue their customers with hardware security tokens that they can use for authentication.
As it stands, the system isn't perfect, but it's a balance between ease of use and adequate protective measures.
Implementing identification and authentication systems at your organization
When you are implementing identification and authentication systems at your organization, you also need to think about how you can strike this balance. Yes, you certainly want to minimize the possibility of attackers being able to fraudulently authenticate themselves, but you also don't want to make the system so burdensome that it takes too much effort to log in.
The exact measures you choose will vary depending on the type of system and the value of the assets you are securing. First, an adequate registration process will need to be in place to limit the risks of people fraudulently onboarding into your systems. Then, you will need to consider the appropriate measures for identification and authentication.
A username, email or phone number will generally be sufficient for identification. For authentication, you will want your users to choose unique and strong passwords to limit the chances of things like credential stuffing attacks. Second authentication factors like authentication apps, hardware security tokens, or biometrics are also recommended in many situations. Technically, the three factors of authentication are:
- Authentication by Knowledge – Something you know, like a password.
- Authentication by Ownership – Something you have, like a hardware security token.
- Authentication by Characteristic – Something that you are or do, such as biometrics or keystroke dynamics.
You could also implement additional restrictions on authentication, such as limiting users to three login attempts every ten minutes. Another useful mechanism is to trigger further authentication whenever your systems notice suspicious IP or MAC addresses, such as when users may be logging in from a different location or device.
You need to take a risk-based approach when determining the best system for your scenario. Consider exactly what you are securing, how valuable it is, and then work backwards from there to figure out which identification and authentication controls are necessary to reasonably ensure its security. You don't have to build Fort Knox to secure a kid's birthday party, but you're gonna need a little more than a poorly dressed clown to keep a country's gold reserves in safe hands.