News broke overnight that the 2016 Yahoo! data breach, already considered one of the worst in history, was worse than originally thought, affected 3 billion accounts, making it far and away the worst breach in history. Lisa Baergen, Director at NuData Security commented below.
Lisa Baergen, Director at NuData Security:
“The truth has come out – the 2013 Yahoo! data breach of over 3 billion is at this point the largest cyber-attack in history. As the new October 2017 Identity Proofing Platform Scorecard from Javelin Research reveals, there’s so much for boardrooms, CIO’s and security teams to learn. Here’s just five lessons that haven’t been learned and hardened into most cybersecurity policies and strategies.
- Anyone transacting online needs to know that they *can’t* determine consumer identity solely based on previously confidential consumer data and outdated authentication processes. Javelin Research notes: “Identity proofing — must be tailored to the risks inherent in the channel, market, product type, scenario, and threat environment. In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.”
- Stolen credentials are big business on the dark web, and with over ten billion data records lost or stolen since 2013, criminals have a tremendous amount of consumer data to work with – some of it is very likely yours.
- Given that the average employee or consumer is very likely to reuse their same usernames and passwords across many sites, maybe it’s time to mandate policies that prohibit them from using their work addresses as secondary email addresses for verification purposes? This practice substantially expands the organization’s susceptibility to and likelihood of a phishing attack.
- Authentication that moves beyond simple logins and passwords can’t introduce new friction to interactions, because a significant percentage of customers probably won’t use it. Javelin Research: “Assessing device input behavior can create insights into digital channel fraud, but provider adoption lags. Specifically looking for unique patterns of interaction with input devices, e.g. keyboard, mouse, or touchscreen, behaviometrics can assess everything from suspicious velocity — attempting multiple applications within minutes — to aberrant navigation patterns within an online banking portal, yet the capability is only supported by 41% of ID proofing platforms.”
- Phishing – one of the oldest tricks in the fraudster’s playbook – still works. In fact, with social data and compromised credentials, it works remarkably well. If your policies and training practices aren’t up to par, you’re only inviting needless risk. Many phishing campaigns are so personalized that they have a successful open rate as high as 30%. So it’s not a question of if, but when. Are your employees up to the challenge?
“The fact is that until the organizations that hold our data adopt a tighter layered approach including passive biometric authentication, the impacts of mega breaches will continue to tear at our financial systems and consumer confidence.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.