New hire fraud is top of mind for Chief Security Officers (CSO) as it has become one of the largest vulnerabilities in any organization. Many assume they have conducted thorough due diligence and verification, but do not have the protocols in place to ensure the person they’re hiring is always the person logging in. Although this concern is nothing new, employees’ increased access to a company’s technology and innerworkings via remote work has made it substantially easier for bad actors to attack organizations from the inside.
When hiring someone (an employee or a contractor), how do you know that the person doing the work is who you truly hired?
Identity fraud happens several ways:
Individual or Consulting Company Work-Sharing
A contractor gets hired. They will get plugged into the company resources - email, work tools, servers and more. For example, they may be a software developer and begin to do some work, learn the ropes, and start contributing to a project requiring more access to the company’s systems. To authenticate their identity to access company resources, they typically have an active directory username and password and some form of “second factor” authentication like a one-time code tool.
Now, for a number of reasons, the contractor decides to bring a third party into the organization to work on their project. It may be because they found someone cheaper to outsource this work to, or the contractor’s intent may be nefarious. They could get paid by the third party to let them in the door of the organization so they can steal intellectual property or inject malware into the organization.
To enable this fraud, all they need to do is give the subcontractor the username, password and send them the two-factor authentication (2FA) code at the start of their day and occasionally when they need to reauthenticate. With collaboration tools such as Slack or WhatsApp, the exchange of this 2FA code can be done in seconds.
There are many security and productivity implications for this. First, the hiring company may have done diligence on the original contractor covering their skills, location and employment history, but the subcontractor could be anywhere in the world and have a checkered background. Second, the company no longer has control over its resources or knowledge of who is in the system, leaving them vulnerable to the will of the subcontractor.
“Paycheck Jacking”
Let’s say that Acme Corp. needs to hire 200 developers for a big project. A new form of organized crime will target Acme and apply for a dozen of these jobs with workers that appear to be qualified. They will coach them through the hiring process so that they pass the interview process and any skill assessment tests. Then, when the new hires are scheduled to start, they slip someone else into the process. Their sole intent? To let this unqualified person sit in their chair for a few paycheck cycles until Acme catches on and they get fired. The bad actors collect dozens or hundreds of paychecks until they're all flushed out of the company.
In both of these cases, companies are seemingly powerless against new hire fraud within the confines of their existing systems. However, with the right identity protocols and investment in new technology, such as biometric identity proofing, companies can fortify themselves from attack.
Identity to the Rescue
Given the remote nature of this problem, identity fraud can be a difficult threat to mitigate. Adding layers of management and oversight can be expensive, but there are options for organizations to embrace. They are the same principles that have been used for years by banks for “Know Your Customer” and companies for “Know Your Employee” protections - proof of identity.
When you onboard a banking customer or hire a new employee, the organization is required to collect evidence about their identity for tax and other purposes. This proof comes in the form of one or more government-issued documents such as a driver's license, passport, or other national identity documents. These documents are inspected for authenticity and the images on them compared to the individual’s face. Until recently, this required the new hire to be in person so the document collection and inspection could be done by company representatives.
Historically, doing this remotely is less than ideal. For years, these documents have been scanned by the document holder and then emailed, faxed, or uploaded to the requesting company. This introduces many challenges for both parties:
- The quality of the documents can vary depending on the person taking the picture (poor lighting or angle).
- The image file size may change depending on how it is captured (low-DPI scanner) or transmitted (emails often compress photos).
- The documents are now floating around the digital landscape - in the candidate’s email, in the HR rep’s email, or sitting on some server. This puts personal identification information at risk at every step of the journey.
- Even after documents are emailed or uploaded, you don’t have a reliable way to verify the person sending them is truly who you are interacting with.
Remote Digital Proofing and Strong Customer Authentication
Recent advances in technology and new identity-proofing standards give companies secure and trustworthy options to mitigate these risks. In addition, the documents gathered during the hiring process can be used every time the individual needs to access company resources.
Document-centric identity verification is a growing trend in enterprise cybersecurity. A recent study by Gartner found that by 2022, 80% of companies will be using this method of verification in their organizations, and over 60% of mid-size to global enterprises will implement passwordless authentication methods in the same timeframe. However, deploying this technology effectively requires an integration of document-centric verification and passwordless authentication, and careful attention to industry standards that will provide organizations maximum protection.
In 2017, the US federal government introduced the NIST 800-63-3a identity proofing standard which is of critical importance for organizational security measures to comply. In short, NIST 800-63-3a gives guidance on how to capture two forms of identity documentation, validate them, and compare them to the images on the documents with the person’s face. For organizations hiring new employees, this means they have verifiable proof, backed by a rigorous standard, that everyone signing onto their systems is who they say they are every time.
Breakthroughs in technology have made this process possible by leveraging the smartphone or computer of the new hire. Specifically, biometric ID proofing and digital authentication make this process much easier for companies to verify their employees’ identities without a significant investment in sophisticated systems. They simply scan the documents, take a selfie, and the system does the rest, including guiding the user through the capturing of quality images. The results are a standards-based identity that an organization can trust for onboarding and re-authentication throughout their time with the organization.
It’s important to distinguish that this form of biometric enrollment is not the same as TouchID, FaceID and other device-based biometrics. Those forms of biometric are not linked to a real identity. The biometric must be a representation of one user and instantly matched to the government documents.
Advancements in cryptography and computing hardware now allow this enrolled identity to be verified every time that the new hire accesses a computing resource. When a user enrolls their identity documents and their selfie, they are given a private key. Their identity information and selfie are encrypted and stored in a secure location. This private key is the same concept used by cryptocurrencies to keep digital wallets safe and secure. The only way that it can be unlocked is with the user’s permission. Nobody has access to the user’s data except the user
As they embrace an identity proofing solution, companies can issue a digital credential that allows them to access their internal systems, such as an active directory certificate. This is protected the same way the identity documents are. The usage of cryptographic keys is a growing trend backed by another standards body, the FIDO Alliance. The acronym “FIDO” stands for “Fast Identity Online”. FIDO’s aim is to get rid of usernames and passwords. They set the bar on how a company can implement various authentication technologies. However, FIDO alone is not strong enough to entirely protect organizations, because it does not have proof of identity as part of the standard (i.e. verifying against government-issued documents).
When FIDO is combined with the strong identity proofing, like NIST 800-63-3, the process provides indisputable proof that employees, contractors or partners are who they say they are. When a person transmits their credentials, they have the same digital signatures that were enrolled with their identity that cannot be used or replicated by a third party.
When a user needs to access a resource, they provide their biometric (selfie) and they can access the company’s network. There are several ways for a user to connect to a remote resource including the scanning of a QR code or triggering of a push message to their smartphone. Because of this, the organization now knows with a high degree of certainty that the person sitting at the keyboard is who they say they are - every time they authenticate.
The time is now for organizations to embrace these identity standards - for their sake, and for their users. As hybrid work is likely here to stay and companies assess their hiring and security practices, there has never been a better time to invest in new systems that ensure maximum protection for their most important assets.