Data breaches affecting large online service providers persist even as these incidents bring about garish headlines, high fraud costs, and other consequences. You might think that a series of mishaps such as these would be a run of extraordinarily bad luck. Fortunately, such an otherworldly conclusion is a far worse one to draw than the less-profound verdict that catastrophic data breaches are interrelated. And, that their root causes are known, addressable, and preventable.
Breaches show no sign of subsiding. Familiar online service providers serving the UK — Ticketmaster, Dixons Carphone, Timehop, MyFitnessPal, to name a few — unhappily count themselves as recent data breach targets. A common theme tying together these incidents is that the affected enterprises stored passwords and other credentials such as bankcards centrally. This is no surprise since Verizon reports that 81 percent of data breaches are credentials-based.
Even with other authentication factors, features, and experiences on top of access, sensitive data based on shared secrets inevitably saunters out the door or gets ushered out the door. The Verizon number points to the need to rethink authentication for account management and payment authorization. It’s not the retrospective on past breaches that’s concerning. Left unanswered, the question of how to protect our progressively digital transactions will result in more similar breaches.
Left unaddressed, trouble spawns or invites more trouble. Recurrent data breaches compound an already serious problem for consumers and enterprises. With all of these credentials out in the wild from prior breaches, it increases the likelihood for more of these breaches to happen. The reason why is one that further links data breaches of this kind: credential reuse habits and credential reuse attacks.
An increasingly connected life causes the average person to juggle dozens of online accounts. It’s rational for us to seek consolidation and ease, and this desire is supported by studies that reveal consumers often use the same password across different applications.
We’re counseled to create unique, complex passwords, and to manage them impeccably. Then the same designers of the password regime ask us to forget all of this and substitute a cherished phrase or song lyric. Next, we face character limits or minimums, special character inclusion, and we’re asked to alter our favorite phrase every fiscal quarter. Few people outside of security professionals granularly manage large supplies of passwords, and not one of us enjoys it. Thus, credential reuse habits endure.
Then there are attacks exploiting password reuse. With every breach comes hackers’ increased ability to leverage credential reuse attacks since more, and more accurate, recycled credentials are available for credential stuffing, as it is also known. Such an attack is automated and volume-based. Hackers spray libraries of available credentials against enterprises not yet breached, with an alarming 2 percent success rate.
With 4 billion people worldwide connected to the Internet, apps with multimillion user populations, and passwords as the #1 credential, mass data breaches will continue. This is despite those enjoyable biometric and single sign-on experiences layered atop password login and payment authorization. An enterprise that has a central password repository is only as safe as the Equifax’s LinkedIn’s, and Yahoo!’s of the world.
Breached data from social media accounts is being used in attacks on banks, insurers, and payment networks. The failings of passwords and their central storage means the threat is out of any executive’s control. Social account fraud begets financial fraud and even mission-critical fraud. If there’s a shared challenge, there must be a shared solution or something to emulate.
How are large firms in the know responding? Some, mainly financial firms with easily quantifiable fraud losses, are inverting the threat model by decentralizing credentials, isolating and encrypting them on mobile devices. PKI in concert with password-less features such as biometrics means there is no longer a need for a password. The consumer or employee registers their credentials — biometrics, PINs, bankcards, even passwords if wanted — onto their device, and they communicate with the service provider via tokenization. The experience for both parties to the transaction is improved since users are quick to abandon passwords. Through attrition, the enterprise’s password central store and attendant risk are removed.
We have our mobile device manufacturers to thank for innovating to where a mobile device has all of the convenience and security features necessary to eliminate the password, providing the application is tied to a properly architected authentication regime. Making matters simpler are open standards such as those created by the Fast IDentity Online (FIDO), whose adoption is gaining traction and which are developed with security and friction-free experiences in mind.
Putting mobile devices to their highest and best use by making them digital keys harkens back to the days when a consumer (or similarly, an employee logging into a workstation) held sensitive information on their person. It’s also a means to a future with less preoccupation about credentials-based fraud. The rise of GDPR and PSD2 is creating urgency around a discussion over how to handle authentication and payment data more responsibly. If the government has acted, often it is in recognition of a large-scale, shared challenge.
An answer to how we’ll preempt the next breaches is also long overdue. Passwords, 40 years old, haven’t kept pace with online growth and fraud. Their management challenges are a usability and security failing that hastens our move to a secure password-less Internet. Catastrophic data breaches are in fact cyclical. As we work hard to sleep better as fraud lurks, we can retire the habits and outmoded systems that keep our doors unlocked.
George Avetisov, CEO and Co-Founder of HYPR Corp
Image Credit: Ai825 / Shutterstock