Article by: David Vergara, Head of Security Product Marketing at OneSpan
From healthcare organisations, to airlines and some of the world’s biggest technology companies, data breaches have impacted virtually every industry on the planet over the last few years. They have become front-page news to such an extent that it’s a surprise when a week goes by without another breach being made public.
Even with GDPR now in full force – placing stricter controls on how businesses secure customer information – data breaches are still making headlines. However, although high-profile hacks of familiar brands are continuing to become more regular, we cannot allow them to become the norm. The primary reason for this is that breaches can cause significant harm to organisations, both financially in terms of regulatory penalties and reputationally through a loss of customer trust.
And while it’s true that we are facing a rapidly evolving threat landscape with adversaries constantly developing their techniques and capabilities, poor authentication continues to play a major part in many high-profile attacks. Specifically, a lack of effective multi-factor authentication (MFA) is hindering the ability of businesses to protect themselves. The fact that weak, stolen or compromised credentials continues to be a main cause of breaches – behind 81% of attacks – proves that organisations relying solely on a single secret, like a static password to protect data, puts the power firmly in the hands of the hackers, rather than businesses.
When we take a closer look at some of the major breaches to have been made public in recent years, it’s remarkable how many could have been prevented if the appropriate level of authentication had been used. In particular, two high-profile cases stand out: Reddit, one of the world’s biggest news aggregation sites, and Timehop, a popular social media nostalgia app. So what happened? And what did the two companies do to mitigate the damage and avoid future repeats?
Timehop had not protected its cloud network with MFA, so when an employee’s credentials were leaked, the hacker was granted immediate access to users’ data. As a result, virtually all of the app’s 21 million users were affected, with the compromised information including names, email addresses, dates of birth and some phone numbers. MFA, which combines at least two out of three authentication methods – including something you know (such as a PIN), something you have (such as an authentication app) or something you are (such as a fingerprint) – would have stopped the hackers in their tracks. Additional information beyond the username and password would have been required to enter the system, which they simply wouldn’t have been able to get access to.
On the other hand, Reddit had a form of MFA in place, but relied on SMS-based two-factor authentication. This method is known for its weaknesses, as the delivery of these one-time codes via SMS can be easily compromised by attackers who know what they’re doing. Although Reddit did not specify exactly how the SMS code was stolen, a common method is SIM-swapping whereby the attacker dupes the victim’s mobile provider, tricking them into tying the customer’s service to a new SIM that the hacker controls. Mobile number port-out scams are also popular schemes, where the attacker impersonates a customer and requests that the mobile number be transferred to a different network provider.
Thankfully, both Timehop and Reddit rectified their security approaches. Timehop implemented MFA to secure authentication and access controls, and Reddit encouraged users to adopt token-based MFA, admitting that SMS-based authentication “is not nearly as secure as we would hope.” However, both companies learned the hard way that the power of effective authentication cannot be underestimated in today’s security climate. If the breach itself wasn’t bad enough, IBM recently revealed that the global average cost of a data breach is £3 million, as well as estimating that a breach of 50 million records or more can cost a company as much as £273 million. By these estimations, Timehop could have saved approximately £125 million had it invested in effective MFA technology.
It’s time to embrace MFA
If they weren’t already aware, both of these recent attacks should serve as stark warnings to organisations in all industries. Businesses that haven’t yet deployed strong, multi-layered security are effectively playing a game of security Russian roulette and putting their valuable customer data at risk. Not only is it time to adopt MFA, but business and IT leaders must also ensure they are applying the right level of MFA to meet the specific needs of their organisations and end-users. For example, simply adding push authentication without the addition of a second factor, such as a fingerprint or facial recognition, does not mean the system is MFA-protected. As the Reddit hack showed, only relying on SMS-based authentication can lull businesses into a false sense of security and still give hackers opportunities to compromise corporate systems.
Therefore, as well as MFA being a must, complementary technologies like Single Sign-On (SSO) and user directory solutions also have to be included in any security ecosystem. These tools allow for strong authentication and are able to protect social media, email communications and business-critical applications.
Business heads also have to recognise that the task of securing sensitive data is more difficult than ever. When businesses discover gaps in their security protocol, leaders can be quick to point the finger at IT departments for not implementing stronger systems or putting the right technology in place. The reality is that many companies are simply confused and overwhelmed by the task of selecting the appropriate technology to fit their disparate, multifaceted infrastructures. Enterprise networks today have become hugely complicated and some tools were never intended to be used together, with the resulting integration becoming expensive, cumbersome and difficult to secure.
What’s more, today’s threats are much more sophisticated than they were even just a few years ago, meaning businesses need to adopt a layered security approach to ensure that they remain protected. As a minimum, this approach should include leveraging MFA technologies and ideally pairing the authentication technologies and modalities with a risk engine that can detect fraud in real-time and dynamically adjust the required authentication workflow requirement based on the level of associated risk.
It’s not a simple task, but this more comprehensive approach will go a long way towards ensuring the most precise level of security for each user login or transaction, ultimately optimising the user experience and driving down malicious attacks.