Securing Your Customers Online

Transcription

1 Customers Online Today s Web-savvy consumers expect ease of use. You want to offer strong security. With Symantec Validation and ID Protection Service (VIP), we can help you deliver both, easily and cost-effectively.

2 Most companies go to great lengths to protect their private corporate data. When employees log on to dedicated company networks and applications, they usually are required to authenticate their identity to prove they are indeed who they say they are. We know that many of the same companies want to apply stronger levels of security to customer-facing websites and mobile apps, but many don t feel they can because of upfront cost, impact to the user experience, and support concerns. Therefore, they simply ask customers for a user name and password and that s it. Customers click a button and they are in, free to manage their bank account, share photos with friends, make a doctor s appointment, and conduct all sorts of other personal business. It s no surprise that companies hesitate to implement stronger security for consumer-facing websites and mobile apps. Historically, consumer authentication solutions have not been easy to integrate and have made interaction more difficult. They interrupt the customer experience. And they tend to be expensive. Companies have little choice: either strengthen security and lose customers, or keep access easy and take privacy risks. The business choice and in some cases, the customer demand is the latter. However, that choice has led to massive data breaches. The result: damage to some of the largest brands in the world, and a loss of consumer confidence that those brands can effectively and safely manage customer data. The threat of serious data breaches at corporate giants from Apple to Anthem have companies large and small worried, and even customers are starting to reconsider whether the perceived inconvenience of security might be better than the alternative. If only companies and users could get what they both really want, which is for the websites to offer ease of use and tight security. Fortunately, your company can now offer both strong security and ease of use through Symantec two-factor authentication (2FA) technology. Get stronger protection with 2FA Two-factor authentication, or 2FA, is a stronger form of authentication than a simple single factor typically a password because 2FA requires users to correctly provide not just a password but also a second form of authentication, such as a security code or a fingerprint. If the 2FA solution is designed with the mobile user in mind, it can give your customers the best of both worlds by ensuring their visit to your website is secure while providing smooth and convenient access. The bottom line is that 2FA protects consumer information and your reputation from the damage of a security breach. That s why market leaders are cautiously making the move to 2FA for their customer-facing applications. Apple, for example, expanded its 2FA system to icloud.com after the recent, highly publicized icloud breach that exposed celebrities intimate photos to public perusal Symantec All rights reserved Page 2 of 7

3 Another good reason to consider 2FA is to help your company more easily comply with regulatory mandates. The Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC) regulations, Sarbanes-Oxley Act, and European Union Data Protection Directive, among other regulations, all require organizations to demonstrate that they have put sufficient security processes in place to ensure the protection and privacy of data. Two-factor authentication solutions help consumer-facing organizations comply. Check all the security boxes with flexible 2FA Different companies have different security concerns. Consumer-facing companies understandably worry that a lot of ponderous security steps will cause customers to take their business elsewhere. At the same time, companies that deal primarily with corporate customers need to demonstrably remind their clients that security is as tight as can be, often with some physical hardware. Many companies have both concerns, and flexible 2FA can meet them. Let s consider the example of a multinational bank that has retail customers who want an experience that s as simple as possible. They want to log on via their browser, conduct their business, then log off. For these individuals, the bank can provide strong yet seamless 2FA security with hardware-free authentication methods, such as password protection, combined with one-touch verification or biometric scanning. The experience is frictionless, transparent, and tells customers they re safe while keeping the process easy, which is especially important in the increasingly mobile consumer world. The same bank may have institutional clients who want tangible reassurance that the bank s security systems are as sound as a vault. For these customers, the bank can deliver strong 2FA with both a password and a hardware token, providing a solid reminder that the highest level of security is in place. In both cases, adding 2FA eliminates the vast majority of data breaches. Two out of three ain t bad (it s excellent) The use of only a user name and password, single-factor authentication, is inherently weak. Two-factor authentication provides a higher level of protection because it layers a second factor on top of the first, requiring a customer to accurately supply two out of three different factors for successful authentication. The first possible factor is something a customer knows, such as a password. The second is something a customer has, such as a six-digit security code or the device ID of the customer s mobile phone. The third is something the customer is, such as a fingerprint or a retina scan. Requiring any combination of two provides an excellent level of security. Although, if the password is eliminated from the authentication process, the remaining two factors would be more difficult to reproduce. The result is a fundamentally more secure solution Symantec All rights reserved Page 3 of 7

4 Companies have been using 2FA to validate employees for quite some time, and the process usually is straightforward. Using 2FA to validate customers is often more challenging because of their diverse nature. A customer-facing 2FA solution must be secure yet also flexible enough and intelligent enough to provide an easy logon experience for a wide variety of people and preferences. Symantec Validation ID Protection Service (VIP) is all of the above. It s simple, smart, and strong enough to secure your employees access to your company s networks and apps, and to protect customers when they access your company s consumer-facing websites. How VIP works in the real world Here are three use cases that are secure and convenient and that may not have occurred to you. 1. Embed VIP into the mobile app for transparent security. This approach provides the ultimate in transparent protection for users, with strong security maintained behind the scenes. From the customer perspective, authentication might require only a user name and password or, at its simplest, a four-digit PIN. This use of VIP works well for mobile customers who want to, say, check their bank account from their smartphone but don t want to wade through cumbersome security steps. The process is seamless. Integration with your online applications is straightforward, with a service-based application programming interface (API). The user experience is at its best, with customers completely unaware there is sophisticated security technology behind their simple logon. One large financial institution is now using VIP to serve more than 4 million of its mobile customers. Customers simply enter a four-digit PIN to access their account. More than 80 percent of users polled have given the feature a five-star review. With the option to use biometrics as a second factor on new mobile devices, the experience can be totally independent of passwords. 2. Use layered solutions in VIP to satisfy even the most security-conscious customers. Many customers want only to know that your company site is secure. They don t need constant reminders. Others want regular reassurance that their information is secure visible security enforced by tangible hardware. They expect a little inconvenience and are encouraged when they re required to use tokens, fobs, or cards. They re also happy to check the accuracy of their orders, such as confirming Automated Clearing House (ACH) transfers via text, voice, or mobile Push. One well-known financial services company has a large number of customers who go online to manage consumer brokerage accounts. The company chose VIP because it offers layered solutions that can be tailored to meet the needs of different customers. For instance, the company wanted a solution that would be secure yet simple for 99 percent 2015 Symantec All rights reserved Page 4 of 7

5 of its customers. Job done: The VIP service analyzes 100 percent of transactions on the company s site and validates each with the customer before completing the transaction. For the other 1 percent the company s highest-value customers, who expect a greater level of authentication when conducting transactions online the company offers token-based 2FA. This dual approach to strong authentication has helped the company improve customer confidence, trust, and satisfaction. 3. Use VIP Intelligent Authentication to offer easy, behavior-based access. Traditional online users who log on via their browser want invisible, frictionless protection. They want a high level of security and are willing to type in a user name and password, but they don t want to constantly provide additional account numbers, responses to challenge questions, or other information. If they re logging on as they always do, they don t see why they shouldn t be granted immediate access. At most, they will allow for one-touch verification. These customers are best served with VIP Intelligent Authentication, which provides access based on a customer s behavior profile and issues a challenge only if the user exhibits unusual or suspicious behavior. Many organizations are leveraging VIP Intelligent Authentication to provide their customers with a seamless yet secure access experience. The system is context aware, so it understands if a customer is logging on from the same device at the usual time from the usual location. But if that customer takes a business trip to, say, Moscow and logs on from there, VIP Intelligent Authentication will recognize the new location and issue a challenge, typically an out-of-band (OOB) authentication challenge such as an SMS text message, , or voice phone call. The user must enter the code provided to complete the challenge. Why your company should choose VIP A lot of organizations are looking for a second factor of security, and several alternatives are on the market. Some products don t offer any protection in a mobile environment besides a password. Some open-source tools work only with services specifically designed for them and the handful of business-to-customer apps that support them. Symantec Validation and ID Protection Service (VIP), by contrast, is highly secure yet flexible. It s a cloud-based solution that integrates with almost any existing environment. It provides a customer-friendly experience, works for both internal and remote employees, and was designed with mobile platforms in mind. What s more, all data files are stored in Symantec s militarygrade data center, not on premise, saving IT departments the added burden of securing and maintaining authentication servers Symantec All rights reserved Page 5 of 7

6 Here are a few additional advantages of VIP: It s simple and cost-effective to implement. Because VIP is a cloud-based service, you don t have to invest in additional hardware, software, or other infrastructure components to deploy it. Implementation is quick and easy. It s easy to use. The service supports one-time passwords with credentials ranging from hardware tokens to free mobile-based software credentials. Risk-based VIP Intelligent Authentication provides a simplified experience, while VIP Push and biometrics offer a one-touch or passwordless experience. It scales as needed. VIP meets the needs of every company, from small and mediumsize businesses to large enterprises to government organizations. It integrates with existing infrastructure. Adherence to industry standards and open APIs in a cloud environment means VIP can easily interoperate with your current infrastructure and applications. To find out more about how Symantec Validation and ID Protection Service (VIP) can help your organization, visit Symantec All rights reserved Page 6 of 7

7 About Symantec Symantec protects the world s information and is the global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device to the enterprise data center to cloud-based systems. Our industry-leading expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.