The Verizon Data Breach Investigations Report (DBIR) is a great annual window on numbers behind the biggest cyber risk issues facing businesses and consumers. This year’s report is no exception, with vast tables and industry sector break-outs charting patterns in malicious intrusions, accidental data exposure and other incidents affecting organizations of all sizes.
Here at BehavioSec, we fight on the front lines of digital identity and authentication every day. This vantage point proves that too-frequently exploited online identity systems are a major factor behind methodical, wide-scale cybercrime losses. Our team works with banks, fintech players, e-commerce retailers, mobile app developers and other stakeholders to fortify their digital services and storefronts with behavioral biometrics technology. Armed with our platform, these organizations authenticate their users according to how individuals type, swipe touchscreens and hold devices – instead of checking only whether a valid password is entered at login.
This zero-friction ability to continuously verify users of any app or online service puts merchants, financial firms and others in a better position to ease authentication friction, slash fraud and improve risk scoring by permitting suspect logins and transactions to proceed with prioritized monitoring. The alternative is relying on intrusive mechanisms to keep us safe, and Verizon’s massive data volume is just the latest to show us that this simply is not working. Here are three specific take-aways that jump out at me from the data.
We’re living in a storm of stolen and trafficked credentials
Verizon data shows that login credentials were stolen in 29% of reported breaches in their study (page 5). Given the massive scale of incidents the DBIR draws upon, this is a huge figure. Credentials were the second-most breached type of information, right behind category leader “personal information.” This makes sense because next to grabbing someone’s personally identifiable information (PII) useful for identity theft, stealing someone’s account credentials gives criminals another lucrative asset they can sell to people who want to impersonate victims, or leap from within their compromised accounts into still other networks.
The reality is that today when you create or reset a password (even if it’s a strong password), chances are it will become exposed, trafficked and monetized – making it almost worthless for protecting you. Anyone can obtain common “credential stuffing” software, load these tools with harvested or stolen e-mail addresses, passwords and other info and instantly run this login ammunition against all manner of online accounts until live matches are found. This makes cybercrime as easy as using an app to find and compare the best airline or hotel deals.
“2FA everything!” Will not save us
Verizon’s Financial and Insurance industry break out section (page 43) makes a good point about two-factor authentication (2FA): “2FA everything. Use strong authentication on your customer-facing applications, any remote access, and any cloud-based email. Contrarians will be quick to point out examples of second authentication factors being compromised, but that does not excuse a lack of implementation.”
Two-factor authentication offers dramatically greater protection than relying on passwords alone. Examples abound of 2FA being bypassed by “SIM-swap” attacks where attackers clone or exploit smartphones’ SIM cards, for example, but we are still in a better place where 2FA is the standard, not an option. Deeper multi-factor authentication (MFA) systems employing hardware tokens can remove vulnerable channels like SMS. However, a “more authenticated” user can still be a compromised user. Common malware hiding in devices or browsers can sit tight until a legitimate user dutifully multi-factors in – then attackers use the active login to steal information or manipulate transactions.
If you think digital trust is scarce now, wait until the Mobile Era
The DBIR has an eye-opening section on how smartphones shape cybercrime and fraud in the mobile driven world (p. 14). The report notes:
“Research points to users being significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media. The reasons for this stem from the design of mobile and how users interact with these devices. In hardware terms, mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Most smartphones also limit the ability to view multiple pages side-by-side, and navigating pages and apps necessitates toggling between them—all of which make it tedious for users to check the veracity of emails and requests while on mobile.”
In other words – many PC and desktop browser anti-fraud defenses need to be reinvented for the mobile world. However it’s not just hardware – habits matter, too. Verizon continues:
“Users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information. While already cognitively constrained, on screen notifications that allow users to respond to incoming requests, often without even having to navigate back to the application from which the request emanates, further enhance the likelihood of reactively responding to requests.”
This makes it sound like a lot of anti-phishing awareness and healthy notification skepticism users practice at their desk or laptops do not always carry over to smartphone routines and multi-tasking.
If cybercrime artists are going to have even greater success impersonating web sites and urgent messages on mobile, the current credential compromise storm will continue to erode passwords’ effectiveness. This also puts a greater onus on brands and developers going all-in on mobile commerce to defend their legitimate app storefronts and services with behavioral biometrics defenses offering customers a security amenity and slash fraud losses.
This year’s Verizon DBIR paints a sobering picture, but it mostly shines a deeper light on problems we already knew were real: First, authentication as we know it is broken. Secondly, we need to factor lessons learned in the PC Era to how we continue defending shopping, banking, and other essentials in the wider mobile world being driven by digital transformation. Soon we will not call it “mobile commerce” – it will just be “shopping.”