There are only three certainties in life. Death, taxes and cybercriminals attempting to steal information they can flip for money. Verizon’s annual Data Breach Investigation Report analyzed more than 23,000 security incidents that occurred in 2022 alone, demonstrating just how attempts at illicit information harvesting have proliferated.
One of the more interesting trends to emerge since the report’s debut in 2008 is a shift in the type of information hackers target. Back then, criminals honed in on credit card data. Today, their focus is more on authentication credentials and personally identifiable information (PII). One reason for the shift is the payment card industry’s implementation of safeguards, like microchips and increased regulatory reporting. But another reason for the shift in attack targets looms large: stolen credentials and personal information are much more valuable than credit card numbers alone. Steal a person’s identity and it doesn’t matter how many times they cancel a compromised credit card.
Despite the change, the way criminals gain access to this information has remained constant over the past few years. Since 2016, social engineering has been the form of intrusion for about one-third or more of attacks. Lately, it’s become the predominant form of attack. Businesses must follow the payment card industry’s lead and shore up how they protect sensitive information and prevent against socially engineered attempts.
In a world of hyper-adept hackers, passwords are passé
Earlier this year, the online forum giant suffered a data breach. Hackers sent emails to employees asking them to submit their login credentials at a fake company intranet site. Once the phishers acquired one set of credentials, they gained access to code, and eventually, internal company documents.
Attempts like this are successful even at tech-savvy firms when standard-issue username and password logins are the norm. The good news is many organizations have moved past rudimentary password verification to multi-factor authentication (MFA) or two-factor authentication (2FA). The problem is, so have hackers. In the above example, the criminals also acquired two-factor authentication tokens (usually a one-time code texted or emailed to the user) to gain entry. Hackers can engage in “MFA bombing” even when companies set up 2FA or MFA. By using the compromised password to bombard the user’s phone with MFA notifications, users sometimes hit “allow” just to avoid further nuisance.
Hacks like this are why organizations must move past antiquated security measures, like legacy passwords and even two-factor authentication, to more robust identity verification practices.
Companies can adopt identity verification without compromising the customer experience
Identity verification, also known as identity proofing, matches a user’s real-life identity to their digital identity. When a financial services firm asks customers to submit a photo of a government ID or use a thumbprint to log into a mobile app, the firm is verifying identities. Rather than checking that the user has the appropriate credentials, these companies are verifying the user is the human they claim to be.
Sometimes, bad actors steal sensitive data because they only need one username/password and a frustrated employee who hits “allow” on an MFA attempt to access the company’s systems. If all employees are required to verify their identity via live biometric scan, fake intranet sites phishing for passwords are rendered useless.
The Reddit story focuses on employees, but the lesson of the incident applies to customers and partners as well. Verifying users are who they say they are makes it that much harder for criminals to create fraudulent accounts or access sensitive information. While improved verification methods can help prevent breaches, organizations must balance stronger verification with a smooth customer experience.
Research shows 63% of consumers feel better about a service that uses MFA, an increase from 53% last year. However, nearly six in 10 have both abandoned an online experience with a frustrating login process and are willing to leave for competitors who offer an easier login process. Firms that revise their identity verification practices must thread the needle between safe and secure and frictionless for users.
To ensure identity verification isn’t an obstacle to using an app or service, companies can begin the process of account creation. Capturing verifiable information at sign-up streamlines the user experience while safeguarding against fraud. After establishing who a customer is at account creation, companies can quickly validate identities during future login attempts or account-recovery transactions. Once the customer establishes an account with a firm that uses fraud and risk-detection tools, they do not need this level of verification unless the company detects fraud or requires account recovery.
When integrating identity verification, companies can choose between data- and document-centric authentication. Data-centric authentication methods are familiar to many. Asking a customer to confirm which address they’ve been associated with or to provide a parent’s middle name are forms of data-centric authentication. Data-centric authentication is more secure than a password-based system but still leaves customers and companies open to fraud. These bits of information are publicly available, and criminals are becoming increasingly adept at fabricating synthetic identities cobbled together from various pieces of legitimate identity data, which is why asking for this sort of data as answers to security questions is not recommended.
Organizations have another choice for identity verification, however. Document-centric methods ask for physical proof of identity, such as biometric information or an ID card. Document-centric authentication has the added benefit of requiring that a live person be present. This layer of security makes it even more unlikely that a hacker can spoof someone’s identity.
Identity verification asks who people are, not what they remember
Verizon identified more than 5,000 data breaches in 2022. As each breach carries an average price tag of $4 million or more, data breach prevention must be a key priority. More than one-third of these breaches occur due to phishing campaigns or stolen credentials, highlighting why stronger account-access protections are crucial for preventing breaches. While many organizations have progressed to multi-factor authentication and/or single sign-on to protect user accounts, forward-thinking companies can go a step further. Identity verification methods that focus on who someone is rather than specific login details are extremely challenging for criminals to bypass. Companies can also easily integrate identity verification steps into existing interactions, streamlining the customer experience in the process.
Against a rapidly evolving security landscape, it’s time to shift our focus from passwords to people: who they are, not what they remember.
As I have always said – it is verified trust that serves security, and not the zero trust approach.