The Full Story on Passwords

Every day news breaks of yet another retailer or bank security breach that lets criminals get access to financial and personal customer information. Stolen credentials used to get stamped onto physical cards intended for fraudulent brick and mortar purchases, but chip-and-pin cards and online retailers have changed the game.

While the stolen credit card number still has a nominal value, there is a major shift underway as thieves understand the greater value of the customer information, like username and password. Because most of us don’t take heed of best password practices – tips like longer passwords, using sentences instead of single words, and passwords unique to each site – once a bad actor gets access to a list of user credentials from one company, the data becomes a Rosetta stone for thieves to use in phishing other sites. If persistent, criminals can quickly assemble what are called fulls, which include everything from names, addresses, bank account and routing numbers, mother’s maiden name, SSN, driver’s license numbers, and more – making identity theft dead easy.

It’s unreasonable to expect users, who live in a world that requires unique passwords for tens if not hundreds of applications, websites and services, to follow “best practices” consistently. So how do you, the e-commerce retailer, protect yourself from financial losses and brand damage?

Traditional methods like Knowledge Based Authentication (KBAs), Challenge Questions, or an SMS message sent to known cell phone number do add a layer of extra protection but they produce customer friction at best, customer insult and lost conversions at worst. And in the era of fulls, not as much protection as you think.

So it’s almost impossible for users to follow best practices and you don’t want to make it harder to use your site, what can you do? Don’t test them on what they should know, or asking them to behave a certain way. Authenticate by observing actual, measurable subconscious behavior.

Everyone has habits and tics built into the smallest of physical actions. Measurable behaviors like typing speed, the habitual path taken through a website, even how a user scrolls on their smart phone, can be used to build a robust character profile unique to each user.

Profiles created from this observed behavior makes it easier to identify natural variations that would otherwise trigger a false positive for fraud, too. The system is unobtrusive to the user, so there’s no risk of customer friction. The more they use the system, the better the profile, the more secure the account.

Better, thieves can’t predict which observed behavior is measured and correlated to a profile. All the “fulls” in the world won’t work if they don’t have that final, behavioral-based key that will always be in the hands of the legitimate user and none other.