The last decade saw countless data breaches with the personally identifiable information (PII) of millions exposed and sent into the realms of the dark web. But while organisations may face fines and reputational damage over lapses in cybersecurity, and consumers could see losses of all kinds, the impact of a data breach doesn’t stop there.
About the author
Labhesh Patel, Chief Technology Officer and Chief Scientist, Jumio.
The recent attempted cyber attacks on Tesco and Boots’ loyalty card schemes show us exactly why. With both of these instances, hackers attempted to use stolen credentials (i.e., usernames and passwords) that had been used on other websites to gain access. This is called account takeover (ATO) fraud, whereby hackers use legitimate, yet stolen, credentials to gain access to an online account. What’s more worrying is that bots are now capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit ATO fraud on a massive scale.
While both retailers managed to detect the breach before any accounts were accessed, it begs the question as to whether the traditional password/username combo is strong enough to withstand the onslaught of more sophisticated cyberattacks and credential stuffing attacks. A recent study by Google found 66% of those polled said they use the same password for more than one online account, with the average user having 7.6 social media accounts.
This bad password hygiene can be detrimental to a whole plethora of organisations, even if they weren’t the ones hacked in the first place. With so many people using the same usernames and passwords for many of their accounts, and a rise in data breaches, companies are all at risk from the lasting impact of cybercrime.
Outdated methods simply won’t cut it
Knowledge-based authentication is inherently weak, with hackers able to find potential answers to security questions through social media feeds and even more readily on the dark web. In recent years, SMS-based two-factor authentication has become the norm for securing online accounts such as email clients against cyber hijacking and they are clearly an improvement over the password only defense.
However, there have been a few notable attacks where hackers have hijacked the SMS message system via man-in-the-middle attacks. In reaction to the recent cyberattack attempts, Boots stopped cardholders from being able to spend points, Tesco stopped all account access and both retailers also reissued cards. While this attempt to mitigate the damage is important, these moves don’t quite go far enough as these measures are still reliant on the same vulnerable methods of authentication that got them into this position in the first place.
Account takeover fraud often leads to huge financial damages for companies but also reputational damages. Technology has made this kind of fraud much easier to implement as often these attacks happen using credential stuffing where hackers use a list of usernames and passwords to access accounts through large-scale automated login requests, usually leveraging bots.
This wide-reaching way of targeting companies means that there is an 8% chance of a successful attack. Once one attack is successful, they are also more likely to be able to take over other online accounts using the same login details.
Looking to the future
Instead of just reissuing cards and blocking accounts, companies need to put more stringent security measures in place to protect their customers from being victims of crimes of this nature. Face-based biometrics is now a viable, and more secure alternative to these traditional forms of user authentication. This kind of verification and authentication method provides far greater protection against account takeover than traditional passwords. At enrollment, the user starts by capturing a picture of their government-issued ID and then takes a corroborating selfie.
This is compared to the picture on the ID to ensure the person is who they claim to be when creating new accounts online. During the selfie-taking process, the frames of the video selfie are then reconstituted to create a 3D face map containing over 100 times more liveness data than a 2D photo. Now, when there is a risky transaction (e.g., a high value transaction or even a password reset), the user just takes a fresh video-selfie, a new 3D face map is created, and instantly compared to the original 3D face map for an instantaneous authentication.
Obviously, this type of biometric-based authentication is far more reliable and secure than a simple password and prevents any third-party from taking over an online account.
In this day and age, where so much personal data is available, the traditional authentication processes used to protect customers and businesses are vulnerable and a mere inconvenience for hackers who want to access an account. Turning to face-based biometric authentication procedures is the only way organisations can truly protect their ecosystems and customer accounts.