As countries around the world ease up on their lockdown measures, businesses are now having to cope with the new cybersecurity landscape that they are now faced with. Cybercriminals are currently taking advantage of the pandemic, geopolitical tensions and social unrest around the world, capitalising on the anxiety and fear many are feeling to intensify cyber attacks and phishing activities.
Interpol has warned that cybercriminals are attacking computer networks and systems of individuals, businesses and even global organisations at a time when cyber defences may be lowered due to the shift of focus to the health crisis. Adding to that, the World Health Organisation (WHO) recently saw a dramatic increase in the number of cyber attacks directed at their staff and email scams impersonating WHO personnel, targeting the public.
The pandemic also saw businesses accelerate their digital transformation, urgently moving their customer engagement and interactions online to ensure continuity and enhance resilience. However, under prepared businesses are increasingly dealing with customers, partners and suppliers online – a placewhere authentication and identity verification is of utmost importance.
According to Andrew Shikiar, Executive Director at FIDO Alliance, weak passwords are one of the main things cybercriminals target to exploit companies and individuals easily. He explained that the challenge is that many people tend to opt for simple, easy-to-remember passwords for the sake of convenience.
For example, recently it was reported that half a million Zoom credentials, username and password pairs, were found being put on sale in the dark web. It was discovered that this wasn’t due to a breach of Zoom’s servers, but rather a “successful” example of a credential stuffing attack. Stuffing attacks are when login attempts are automated using usernames and password combinations from other companies’ data breaches.
Andrew Shikiar said, “These sorts of credential stuffing attacks are successful because two in three users reuse passwords across accounts - most people opt for convenience over security
, and these habits are hard to break”.
Weak Passwords a Generation Gap Issue?
Interestingly, Andrew pointed out that the average millennial uses fewer passwords across all their accounts compared to Internet users age 55 and over. In general, millennials put less effort into traditional password security compared to older generations.
However, he added that while these password habits can be tied to a generational preference for convenience, the newer generation is naturally more tech-savvy, as they grew up with access to digital services. As such, they are the ones who are more at ease when it comes to adopting the latest and more secure technologies - such as multi-factor authentication - and they are therefore more likely to be driving the move towards a password-less future.
“These are all positive signs that as tech literacy improves with each generation, authentication habits will also shift away from passwords. Nonetheless, it is never too early nor too late to adopt best practices in authentication. Ultimately, as digitalization continues to change how we live our lives and cyber attacks become more sophisticated, opting for a more secure authentication method and away from vulnerable passwords will eventually become a norm for the consumers”.
Added Security With Multi-Factor Authentication
Andrew also believed that multi-factor authentication (MFA), including identification verification help protect businesses and personal information better. In MFA, rather than just asking for a username and password (a single factor), the user must provide one or more of these additional credentials, such as a one-time passcode (OTP) from the user’s smartphone, the touch of a hardware security key, or a biometric like a fingerprint or facial scan.
“Traditional usernames and passwords can be stolen, but with MFA, it creates multiple layers of security to help increase the confidence that users requesting access are actually who they claim to be. That’s what makes it significant - with MFA, a cybercriminal may steal one credential but will be thwarted by having to verify identity in a different manner”.
He added that newer authentication standards are even removing the password from the account creation and authentication flow altogether, instead relying on much stronger and advanced security technology to log the user in. Additionally, it is important to note that not all MFA is created equal - those that are still dependent on server-side shared secrets such as OTPs can still be hacked through what are called replay or man-in-the-middle attacks.
Essentially, Andrew pointed out the first step that businesses can take is to educate employees about the dangers of cybersecurity breaches and to practice better authentication habits.
“Password reuse is widespread even in organisations. On average, employees reuse a password 13 times and it is no coincidence that employees are the biggest threat to cybersecurity. Even cyber-aware employees can be vulnerable: upwards of 40% of well-designed phishing attacks are successful, according to Google. This shows that employees don’t just need to be better educated, but they also need better tools”.
Some key considerations for ensuring a robust authentication platform include:
Enable MFA - it ensures that accounts are up to 99.9% less likely to be compromised, according to Microsoft;
Move towards passwordless authentication.
With that said, Andrew explains that every business should be evaluating how to implement better authentication for its employees and customers, and in doing so should seek solutions that can protect valuable assets without adding unnecessary friction to the end-user.
“FIDO’s standards enable exactly that - a single-gesture user experience on top of an unphishable architecture based on public key cryptography“.
How Does It Actually Work?
Andrew explained that when a user enrolls their account for FIDO Authentication, a unique key pair is created - with a public key residing on the server (instead of a password) and a private key stored securely on their device. When it comes time to log in, the user must first prove possession of the private key to the service by signing a challenge, which is done through a simple gesture such as swiping a finger; staring at a camera; entering a PIN; inserting a second–factor device or pressing a button. The private key can then, in essence, validate itself to the public-key, thereby completing the authentication process.
“The good news is that these capabilities have been built into devices that people use every day. Every Android 7.0 or later handset and every Windows 10 PC can function as a FIDO Authenticator. Likewise, every modern web browser has built-in FIDO support”.
Hopefully, with these security measures, cybercriminals may not have an easy way in. However, at the end of the day, if employees and consumers keep using weak passwords, it will only create more opportunities for cybercrime.