Why cybercriminals prefer passwords

Dangerous Password

By Alessandro Chiarini

Are passwords still a viable security option in 2019?

I wouldn’t try to protect a mobile payment network with them.
I wouldn’t use them to control access to a healthcare facility.
I wouldn’t trust them to safeguard online retail transactions either.

Granted, they do provide a tiny measure of security, but experience shows passwords are hacked, stolen, and guessed too easily to rely on one day longer. Passwords have become an open invitation to costly fraud and invasion.

The fact is, data breaches are happening constantly, all over the world. Most go unreported because they make the victimized institutions look careless and untrustworthy.

As someone who advises financial, healthcare, and retail organizations, I can tell you that hesitating to adopt robust multi-factor authentication usually stems from one or more of the following:

  • Underestimating the ingenuity of modern cyber-criminals and the vulnerability of passwords.
  • Misunderstanding the unique power of biometrics.
  • Anticipating a negative customer reaction.
  • Fearing logistical complexity and expense.

Hackers and Passwords

In March, Citrix sustained a data breach that may have exposed six terabytes of sensitive data. Citrix is a global technology company. Its people know better than most what they’re up against. Yet, a group of hackers styling themselves IRIDIUM penetrated their defenses with a technique called password spraying. This only works if some percentage of the target’s passwords are among the most common in the world. Then it’s just a question of brute force.

In addition, passwords can be:

  • Accidentally exposed (Equifax)
  • Stolen from third-party platforms such as Git Hub (Uber)
  • Taken in phishing attacks (Anthem)
  • Lent to bad actors by helpful co-workers (NSA/Snowden)

For more large-scale horror stories, scan this article. It features names such as Yahoo, Marriott, Target, and others. The word “password” appears often, and never in a flattering way.

But you get the point. No matter who you are, if passwords play a central role in protecting entry, access or transactions, you are vulnerable to catastrophic loss and urgently in need of a new, multi-factor biometric security strategy.

The Power of Biometrics

A quick history lesson.

Traditionally, system security has been based on what you have (bank card) and/or what you know (password). Obviously, things you have and know can be hijacked one way or another. And they are. Frequently.

As these first two approaches began to fail under the onslaught of cyber-thugs and fraudsters, a third approach was introduced based on who you are intrinsically (fingerprint, voiceprint, retina, face,, etc.)This was a major step forward. So far, biometric factors are very difficult to steal, counterfeit, borrow or lend, especially in combination..

Passive biometric factors take “who you are” one step further by simultaneously analyzing the way you hold your phone, swipe, type, etc.

Organizations that recognize the crime-stopping potential of mobile biometric authentication are using it in multi-modal, multi-factor ways. That is, they are literally wrapping entry, access, and transactions in layers of nearly spoof-proof biometric security. No half measures!

For example, a bank might employ the following protocol to authenticate a user and give him access to his account:

Facial recognition or Fingerprint.
Via mobile device to establish first phase of authentication.
Voice recognition
User reads a randomly generated 10-digit number that’s compared against his voiceprint on file.
Passive biometrics.
At the same time, the system analyzes how the user is interacting with his phone and compares it to his biometric profile.
Device recognition.
Finally, the system confirms the phone number and other code numbers associated with the device.

If any form of authentication fails, access is denied.

This brings us to the issue of customer experience. Isn’t it likely this protocol is too onerous for busy people to tolerate?

The Myth of Customer Resistance

In my consulting work, I’m often confronted with concerns such as,

“Our customers will never go for a multi-step process.”
“Everyone is perfectly happy right now.”
Even….
“Some of our customers are quite old!”

Let’s consider these objections one at a time.

User experience. Rather than being impractical and burdensome, the protocol above is optimized for people working from a mobile device. Holding the phone. Touching it. Speaking into it. What could be simpler or more natural? And two of the steps are completely transparent!

User satisfaction. These days, customers are often more concerned about the security of their identities, data, and money than management realizes. Ask them. You’ll find that everything about multi-factor authentication suits users fine. The new minimum standard.

A Logistical Nightmare?

Anyone can be forgiven for thinking the Biometric Fortress outlined above requires months to implement. But your developers could integrate it into your current operation with a truly minimal amount of code.

A Huge Expense?

Compared to the financial loss and reputational damage of a successful data breach, multi-factor authentication is extraordinarily inexpensive.

Let Us Advise You.

Whether you’re a CEO, CISO, COO, CFO or the newest developer on the team, we can give you detailed and straightforward counsel on the advantages and process of adopting multi-factor authentication.

To arrange a conversation:
Contact us

To register for our SDK: