Over the past few months, LinkedIn, Twitter, MySpace and even Mark Zuckerberg have fallen victim to cyberattackers. The recent string of breaches have potentially compromised the data of millions of people and have highlighted a number of shortcomings in both the security strategy of businesses and user behaviour.
While each breach may have occurred for different reasons, one thing they all have in common is the compromise of user credentials where simple username and password has been employed as the only form of authentication.
In May of this year, it was claimed that over 117 million email addresses and hashed passwords had been leaked from the 2012 LinkedIn data breach and as a result, the company was force-resetting the passwords of the accounts that were affected. However, in the days and weeks following the breach, there were some notable knock-on effects of the passwords being leaked.
Password skeleton key
For example, Microsoft’s Identity Protection team decided to ban the usage of common or simple passwords that may be easy to guess or have already appeared in breach lists, such as the LinkedIn data. The ability to prevent the use of simple and often guessed passwords, such as '12345', 'qwerty', or 'password', which appear regularly on the 'most used' lists, is a technique that has been widely adopted within the enterprise for many years. However, this method of password security really is the bare minimum and does not go far enough in solving the problem.
It also emerged that Mark Zuckerberg’s personal Twitter and Pinterest accounts were breached, using a password that was exposed from the LinkedIn dump, showing the serious impact that password reuse can have to online security. Bad actors have been able to take advantage of this with a botnet that takes stolen credentials and tries them in a multitude of places.
However, the LinkedIn breach doesn’t come close to the MySpace attack which allegedly stole the usernames and passwords of over 360 million accounts, making this one of the biggest breaches in recent times.
The constant number of breaches making the headlines goes to show that attackers will go after any data in any way that they can and once they have their hands on a list of credentials, they can serve as a skeleton key to user’s lives on the internet.
Learning the lessons
The lesson that both users and businesses have to take away from all of these breaches, is that they are still far too vulnerable to bad actors and cybercriminal activity. For too long we have relied on passwords as the single form of access control and it is simply not adequate to protect any information or personal data.
These attacks should serve as a hefty reminder to businesses that they need to continuously innovate in their approach to authentication, taking themselves far beyond traditional username and password and even vanilla two-factor approaches. The cumbersome early days of multi-factor authentication cast a shadow on the technology, but times have changed.
Organisations must strengthen their defences against cyber adversaries by employing cutting edge adaptive authentication which has the unique advantage of increasing security without a major impact to user experience. By layering multiple methods of risk analysis before the user even logs in, such as device recognition, analysis of the physical location of the user, past and current login history, or even by using behavioural biometrics to continually verify the true identity of the end user, not only will the customer maintain a simple user experience, it also makes stolen credentials completely worthless.
It’s also become clear that we are not doing a sufficient job in the security industry of educating end users. Simply asking users to make a password more complex is not working as a solution, nor are people able to remember a range of complex passwords for the numerous sites that today’s online lifestyles require. It’s well-known that users will take the path of least resistance, whether that’s reusing the same password across multiple sites or simply writing their password on a piece of paper. Progress will require a reframing of our understanding of what is safe behaviour when connected. Users need more education to understand how to be vigilant about protecting their identities online and a way to do this simply.
Protecting the future
As we move forward in 2016, it is critical that security continues to innovate to keep ahead of the attackers. Critical business information and personal data must be protected by more than just the password, or even basic 2nd factor methods, and the future of our online lives must move away from just the two box login that we’ve grown so complacent about.
Keith Graham, CTO at SecureAuth
Image Credit: Maradon 333 / Shutterstock