Recently, you may have heard about a company that experienced a data breach, and because you didn’t patronize this company, you presumably breathed a sigh of relief.
But don’t get too comfortable — chances are your data may get compromised in the next breach, or the one after that. When there’s a big data breach, we all lose. It’s not just the consumers whose personal information was hijacked. It’s not just the victimized organization that has to deal with damage control and the legal and reputational aftermath.
Everyone loses. And we’ll keep on losing until we break the breach cycle.
Sadly, a healthy chunk of that stolen data, which often include names, email addresses, phone numbers, usernames and passwords, is destined for the dark web. That data is then bought and sold like pork bellies on the Chicago Mercantile Exchange and then weaponized by cybercriminals for large-scale account takeovers.
But, there’s also some good news on the horizon as new methods of biometric-based identity proofing and authentication, with embedded certified liveness detection, can help ameliorate the impact of these data breaches. But, let’s start by examining how cybercriminals exploit the data compromised stolen from these breaches.
Pass the Credential Stuffing, Please
When it comes to data breaches we all should be concerned. Today, cybercriminals can take full advantage of big data, high-velocity software and bot-based automation to access our online accounts. The technique used to perform account takeovers en masse is called credential stuffing — a cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Digital security company, Akamai, recorded nearly 30 billion credential stuffing attacks in 2018. Each attack represented an attempt by a person or computer to log in to an account with a stolen or generated username and password. The vast majority of these attacks were performed by botnets or all-in-one applications. If you’re like the majority of users out there, you probably reuse the same password across a variety of websites, which means you’re even more exposed.
Unfortunately, because of the frequency and scale of recent data breaches, combined with the speed and reach of botnets, there’s a general consensus that the worst is yet to come.
Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, meaning that for every thousand accounts an attacker attempts to crack, they will succeed roughly once.
But before you dismiss this as an inconsequential threat, consider how large a pool these cybercriminals are leveraging. Back in February, TechCrunch reported that a batch of 127 million records stolen from eight companies was available on dark web market Dream Market. The asking price? $14,500 (naturally payable in bitcoin), which translates to a cost of 11 cents per 1,000 records. The sheer volume of the credential collections being traded by attackers makes credential stuffing worth it, in spite of the low success rate.
So, if an attacker purchased the aforementioned 127 million records, his bots would probably yield around 127,000 successfully cracked accounts. Once these accounts are cracked, cybercriminals can mine these legitimate accounts for profitable data often in the form of credit card numbers or sensitive data that can be used in phishing attacks. Plus, the attacker is likely to target other online accounts (banking, social media, email) of that same user since passwords are often recycled across multiple websites and online services.
That’s where the real sting of a data breach occurs — it’s the downstream damage that happens when a cybercriminal hacks into legitimate accounts. And what facilitates all this damage is our collective reliance on the simple password.
Overcoming the Faulty Password
The good news is there are some alternatives that can mitigate the damage. Probably, the most prevalent option is SMS-based two-factor authentication which provides an extra layer of security when users log in from a different location or from a different device. Unfortunately, only a small percentage of consumers use this form of authentication — for example, less than 10% of Gmail users have activated two-step verification. More importantly, SMS-based two-factor authentication has been undermined by various man-in-the-middle and man-in-the-browser attacks as well as SIM swap frauds carried out by tricking mobile providers.
Biometrics: Do You Hold the Key to Data Security?
SMS-based two-factor authentication is clearly a step in the right direction especially when it comes to thwarting account takeovers. But, another method of authentication is starting to gain traction. Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who he says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.
There are a variety of biometrics that can be used to help corroborate identity — some are physical traits (e.g., face, fingerprint, iris and vein), while others are behavioral (e.g., gesture, keystroke and voice). Behavioral biometrics can be a powerful alternative but typically require multiple interactions to determine a reliable baseline.
It’s the combination of leveraging a biometric with certified liveness detection that ensures, with a high degree of assurance, that the person logging in is, in fact, the registered account owner.
When you think back to the original problem, large-scale data breaches are feeding the dark web with unprecedented amounts of static PII data, including boatloads of usernames and passwords. Fraudsters are then purchasing these credentials for pennies on the dollar and then using botnets to hack into our online accounts (which are generally only protected with a username and password). It’s a pretty bleak picture.
When your online account is protected with biometric authentication, credential stuffing attacks are rendered utterly useless. With this approach, it doesn’t matter if your username and password falls into the hands of a cybercriminal because they won’t be able to access your account without a corroborating live video selfie taken from you. Even if a sophisticated fraudster is clever enough to create a deepfake video (which might spoof some weak 2D liveness detection solutions), biometric-based solutions with certified liveness detection will easily detect these spoofs and automatically reject them as fraudulent. So, we don’t need shared secrets anymore, nor do we need to worry about our biometric data falling into the wrong hands — certified liveness detection overcomes many of the shortcomings of traditional authentication methodologies.
To better understand the role of certified liveness detection and biometric authentication in preventing account takeovers, I encourage you to check out Trusted Identity from Start to Finish, a new FindBiometrics white paper (sponsored by Jumio and FaceTec). In it, you’ll learn how certified liveness detection and face biometrics can help you shut out fraudsters while welcoming good customers in.
