Web 3.0 Shifts Attack Surface and Highlights Need for Continuous Security
The emergence of Web 3.0 came during a pivotal transformation for the world. Though we were told to stay home and limit face-to-face interactions during the COVID-19 pandemic, life had to keep moving. Business needed to proceed as usual, deals needed to be signed, and money still needed to be transferred. Web 3.0 is an opportunity for businesses to embrace a digital future that will make all of this easier.
Many more things can and are being done digitally compared with three years ago, and while the benefits are clear, new risks and challenges have emerged. With the transition to Web 3.0, the attack surface has also shifted to the largely unchecked customer journey. As a result, our information, money, and identity are more vulnerable than ever before.
Trust Levels Have Risen
Ten years ago, purchasing something online for $20 was a big deal, but today, we make large purchases online without a second thought. Our level of comfort has grown immensely over the years and will only continue to grow. We may have started off making small purchases, but now, high-value transactions like loans, money transfers, and insurance claims are all digital, which means there's much more at stake.
At a consumer level, platforms like Apple Pay and Amazon Pay have emerged, which infuse a sense of trust and security into online purchases. Still, when asked to enter our personal credit card information, many of us pause and consider the legitimacy of the site, vendor, etc. A system with the comfort level provided by platforms like Apple Pay doesn't yet exist for high-value business transactions. What's more, there is no system in place to confirm that a company is who it says it is. Or that a link is valid. Or that a real loan is being signed. The move to a digitized world happened so quickly that no one stopped to think about the fact that we need to make sure the process is legitimate. Without face-to-face interactions, how do we know what is real?
There's a reason phishing attacks have grown by 61% since 2021 and a reason bots are more prominent now than they were five years ago: Because attackers have identified an opportunity and seized it. As an industry, we are at an impasse because our solutions have focused on protecting endpoints. But we now need to secure complete digital processes and customer journeys. We need to consistently prove our identity. Solutions like multifactor authentication (MFA), biometrics, and token-based authentication do some of this today, but unfortunately, it's not enough. Almost every week we see stories of sophisticated business email compromise (BEC) scammers bypassing MFA, leveraging tactics like adversary-in-the-middle (AiTM) phishing attacks.
It's Time for a New Model
Organizations should examine their customer journeys and identify friction points. This will allow them to pinpoint instances throughout the journey that attackers could exploit. Most organizations have identified at least one of these instances and put protective measures in place. For example, before we can view our final bill, we get a text with a six-digit code we must enter before moving any further in the process. These are the right steps, but we must remember that a digital transaction isn't just a one-step process.
We're moving toward a model that requires continuous authentication and identification throughout these transactions. This model will look slightly different for each organization, but it ultimately will follow these five steps:
Take an unknown identity and turn it into a known one. This should happen at the beginning of every process before any engagement or transaction occurs. Every party involved should prove their identity, whether it be via government-issued ID, biometrics, etc.
Once identities are confirmed and verified, individualized credentials should be distributed to access the digital property — whether it be a website, app, electronic document, or virtual environment.
Guide customers and consumers through multistep and high-assurance transactions over an interactive, secure virtual environment with various authentication methods.
To execute and complete the transaction itself, the process needs to offer strong identity assurance, be equipped with capabilities like digital signature encryption, and comply with the most rigorous security standards and regulations.
Many contracts must be stored and maintained as unique, original copies throughout their lifecycle in accordance with laws such as ESIGN, the Uniform Electronic Transactions Act (UETA), and Uniform Commercial Code (UCC) Article 9-105. To ensure the integrity of the document or transaction, you must preserve the chain of custody and capture the audit trail.
With a shift in the attack surface, security will need to be woven throughout the journey and throughout workflows, and it will need to be done seamlessly to avoid disrupting the digital experience that exists. As we move into the new year, I anticipate this will be a top priority for organizations and security companies alike, and proving identity and ensuring trust in digital processes will become the defining factor of success.
This article, written by Sameer Hajarnis, Chief Product Office at OneSpan, was first published on DarkReading.com on January 9, 2023.