Fraud in CIAM
In this article I’m going to discuss Fraud in CIAM(Customer Identity and Access Management) and what actions we can take to safeguard our customers and resources against such attacks. Before going into much detail I’d first like to give you a brief introduction to what is Fraud and what’s its role in CIAM.
The exploitation or use of another person’s personal data or information to commit crimes is known as identity fraud.
In the context of identity and access management, this often involves hackers stealing or gaining private data, such as passwords to digital accounts or social security numbers, and using it to access financial accounts, medical records, or other sensitive systems without consent.
Types of Fraud in CIAM
There are various types of Fraud that can occur in the context of CIAM. Following are some of the most popular and frequent types of attacks I’ve picked to describe.
1. Phishing
Phishing attack is an attempt to deceive people into disclosing private information like passwords, credit card numbers, or bank account numbers. The attacker often pretends to be a reliable organization, such as a bank, an online retailer, or a prominent business and sends an email or message that looks to be from that organization, requesting the recipient to share their personal information.
There are three main types of phishing attacks depending on the communication media used by the attacker. They are,
- Email Phishing: Uses Email communication to deceive the user. The attacker sends an email with malicious links that appear to be from a legitimate source.
- SMS Phishing: Attacker uses text messages to send malicious links to users. If the user clicks on the link, they will be redirected to malicious sites prompting to enter their personal data, such as user ids and passwords.
- Voice phishing: The attacker contacts the target via a phone and pretends to be a reliable source such as a bank employee or a system administrator and requests personal information.
2. Man-In-The-Middle Attack
A man-in-the-middle (MITM) attack occurs when an attacker intercepts and modifies communication between two parties without either side being aware of it. The attacker essentially “hijacks” the conversation, giving them the ability to eavesdrop, change, or even insert their own data into it.
During the course of login into a website or application, for example, an attacker may intercept communication between a user and an authentication server. This is known as an MITM attack in the context of identity and access management (IAM). The attacker can then obtain private data, including usernames and passwords, and use that data to access the user accounts without permission.
3. Password Attacks
Following are some common types of password attacks
- Brute force attacks: These attacks involve the attacker guessing a user’s password by repeatedly typing various character combinations until they succeed. Brute force attacks pose a significant risk to the security of passwords since they may quickly guess millions of password combinations with the aid of computers and automated technologies in a matter of seconds.
- Dictionary Attacks: In dictionary attacks, the attacker tries to guess a user’s password by using a list of frequently used passwords. Sometimes dictionary attacks can be very effective since many people tend to use simple and easy to remember passwords for their convenience.
- Password spraying: Instead of trying numerous passwords against a single account like in a brute force attack, the attacker uses a few widely used passwords against numerous accounts. This type of attacks are less likely to activate security measures like account lockouts that are in place to defend against brute force attacks.
- Credential stuffing: The attacker tries a variety of websites or systems using lists of stolen username and password pairs obtained from data breaches. If the users use same username and password combination for every account they use, the attacker can gain access to all of them.
4. Identity Theft
A hacker who wants to acquire a user’s passwords and personal information hijacks the user’s browser session.
The web server needs a way to distinguish between each user’s connections and most of the time a token is used for this purpose(This token is sent from web server to client browser after successful authentication).
By stealing a valid session token to achieve unauthorized access to the Web Server, the attacker can gain access to users’ personal accounts and data.
How to mitigate fraud
Organizations have been using various kinds of methods and mechanisms to prevent fraud over the years. Following are a few commonly used security measures by organizations today.
- Strong Authentication: Requires the user to provide one or more additional authentication factors other than the primary authentication facotor to gain access to a resource. This lessens the possibility of a successful attack as the attacker has to go through multiple layers of protection.
- Data Encryption: Sensitive data can be protected by encryption both in transit and at rest to prevent theft and unauthorized use by attackers. Encryption makes text unreadable to attackers who doesn’t have the decrytion key.
- Access Controlls: Access controls ensures that users can only access the data and resources to which they have been granted access. This reduces the possibility of fraud and helps to prevent unwanted access. Mandatory Access Control(MAC), Discretionary Access Control(DAC), and Role Based Access Control(RBAC) are some some of the commonly used access control mechanisms.
- Monitoring and Logging: Organizations can spot suspicious behaviours and take the necessary actions before any harm is done by monitoring system activity and maintaining thorough logs of user activity. There are tools like Security information and event management (SIEM) systems, User behavior analytics (UBA) systems, and Log management systems to cater these kinds of requirements.
- Employee Education: Employee awareness becomes essential when it comes to protecting organizational resources from fraud. It is cruitial for employees to be educated about various aspects of organizational security such as company’s security policies, Incident response and reporting methods, and password management best practises to avoid potential harm from happening.