Goods and services are sold through online sites. Consumers buy anything from movie posters to dishwashers online. Some of the transactions test the limits of the credit card. Credit card companies in turn watch over their usage and can spot suspicious actions. They also record the purchases.
Business-to-business buyers however can place online orders valuing in tens or hundreds of thousands of dollars. They access an online B2B portal using their password to create these orders. And here's the discrepancy…a weak and vulnerable authentication method is used to make substantial orders.
Granting access to the B2B portal based on password, or federated identity from the customer domain is typically enough. Access can only reveal information such as pricing, discount percentage, product listings etc. Finalizing a transaction is the moment when damages can occur. A password can fall into the wrong hands (inside or outside) too easily.
Proper confirmation of a transaction with a financial value of a defined threshold should be a defacto standard practice. If the transaction value is more than $5,000, confirmation using a stronger method should be required. Using a confirmation method, or step-up authentication, that uses an approach where the purchase manager can not even by mistake divulge the credentials are resistant to advance persistent threats or social engineering.
A stronger authentication method such as SMS one-time-password is easy to use, and can be tied to the purchase manager’s mobile phone number. By combining the authentication event, transaction data, and the date & time, you can create very auditable entries to your B2B online service. Furthermore, these kind of methods will also alert the purchase manager if someone is trying to place an order using their credentials as the individual gets an SMS message to their phone. If this individual is not in the process of creating such an order, they can immediately recognize that their credentials have fallen to the wrong hands. PKI provides even heavier protection for transaction confirmation with the option of digitally signing the transaction.
Identity and Access Management (IAM) solutions are not only about controlling access they can be used to protect your resources, help build audit trails to meet compliancy requirements and more.