Passwords, biometrics and layered security
Scott Nicholson from Bridewell Consulting recently regaled Information Age with a tale that had a whiff of James Bond about it. The company was hired by a large financial institution to test out their security. Except for a couple of limitations, they were given carte blanche. “We spent one and half months performing reconnaissance, investigating, for example, dress code, positioning of cameras, the appearance of security badges,” says Nicholson. We built up a physical picture of each location and created fake profiles on LinkedIn and fake security badges. We also looked at jobs being advertised, to see what technology was used. Armed with a Raspberry Pi device, we physically entered a certain building by tailgating someone in as there was a time lag between swiping the badge and the security turning red. The device was plugged in, giving full access to the network, we were then able to become a domain administrator, capturing user names and passwords, within one day of entering the building.”
It is scary stuff, this was an institution that took security seriously, with a substantial budget, yet it was not enough. Fortunately, of course, Bridewell was on their side — just testing. But the way the Bridewell team were so easily able to capture passwords was especially worrying.
Password security is a tough one to get right
We all know that we should use a different password for each app/account. If hackers manage to find out a password we use in a poorly defended service, they might then try using that password for other services. Apply that approach at scale, and it is called credential stuffing, which occurs as cybercriminals take stolen account details from one platform and deploy bots to log into vast numbers of others using the same credentials. Once they have gained entry, criminals will abuse an account until its owners become aware, often making fraudulent purchases or stealing confidential information. According to a report from Akamai, based on research from Ponemon Institute, credential stuffing attacks are costing companies across Europe, Middle East and Africa an average of $4 million a year.
Credential stuffing attacks are costing businesses an average of $4 million a year
Credential stuffing attacks are costing companies across Europe, Middle East and Africa an average of $4 million a year, finds an Akamai report, produced from research conducted with the Ponemon Institute.
According to the National Cyber Security Centre, no less than 3.6 million people use the word ‘password’ and 23.2 million apply ‘123456’ as a means of security.
Indeed, as Sarah Whipp, Head of Go to Market Strategy, Callsign, pointed out: “The first computer passwords were introduced in the 1960s. Yet half a century later, the technology has moved on very little and isn’t doing a particularly good job at keeping information secure.”
Gartner predicts increase in biometric authentication and SaaS-Delivered IAM
In one sense things have changed, however. Passwords have become more complex so that they cannot be easily guessed by bad actors. “Unfortunately, this is also one of their biggest drawbacks. The forgetting and resetting of dozens of passwords is a broken cycle that we should strive to end,” warned George Cerbone, Principal Architect at One Identity.
So, on this merry occasion which is World Password Day, aside from sending everyone cards and saying ‘remember to keep your password secure,’ what can businesses do?
Andy Heather Organisations cannot always assume that the user is who they say they are. This issue can be tackled with Multi-Factor Authentication technology and installing a password vault to keep them secure,
Passwords versus biometrics
“We all know about the issues surrounding passwords, and the damage weak or re-used credentials can cause,” said Mark Crichton, Senior Director, Security Product Management at OneSpan. He added: “There is an increasing need to evolve the intelligence, strength and complexity of the systems that work alongside passwords. Banks and other industries need to take more ownership of authentication to help detect fraudulent account access.”
Whipp focused on applying more than one authentication method. “It would be foolish to suggest that passwords are completely redundant,” she said, “they will always have a place”. She suggests that giving customers a choice in how they authenticate themselves might help. “By giving them this choice, those who haven’t created a secure password will have alternative measures in place to make sure their data won’t be compromised.”
Andy Heather, VP at Centrify talks about zero trust.” Organisations cannot always assume that the user is who they say they are. This issue can be tackled with Multi-Factor Authentication technology and installing a password vault to keep them secure,” he said. “Companies must begin to take a zero-trust approach towards those that have access into their network in order to maintain a secure infrastructure.”
George Cerbone: Layering security through a multi-factor process is authentication done right.
Whipp suggested a combination of so-called hard and soft biometrics combined with machine learning can allow businesses to use Intelligence Driven Authentication to guarantee the security of their customers’ data.” (Hard biometrics is typically facial recognition, fingerprints, iris scanning and soft biometrics applies to behavioural characteristics such as how people type, move their mouse or hold their smart-phone.)
Crichton suggested that while biometric authentication or advanced device recognition technology could replace the password, users are accustomed to passwords and taking this away may cause concern. He suggested that “a way forward for the industry would be to layer the technology that can effectively ignore the actual password and instead provide positive device recognition against an account name or identifier.”
On this theme, Cerbone added: “Layering security through a multi-factor process is authentication done right. And the good news is that as biometrics evolves, it can serve as a portion of the multi-factor authentication process.”
Finally, there are regulations; they are helping to push change. Crichton said that “PSD2 (The Second Payment Services Directive) and FFIEC (Federal Financial Institutions Examination Council), for example, mandate that financial organisations should perform more validation of the transaction and the devices being used to perform the transactions and to use something more secure than a static password.”
Nominations are OPEN for the Tech Leaders Awards, organised by Information Age and taking place on 12th September 2019 at the Royal Lancaster, London. Categories include CIO of the Year, CTO of the Year, Digital Leader of the Year and Security Leader of the Year. Recognise and reward excellence in the tech industry by submitting a nomination today.