Kyle Kilcoyne By Kyle Kilcoyne • November 21, 2017

What You Are vs. What You Know -  Why Companies Are Becoming Targets for Hackers

What You Are vs. What You Know - Why Companies Are Becoming Targets for Hackers

Recent data breaches have put a new spotlight on just how problematic traditional user authentication methods built around what a person knows have become. Data pertaining to more than 143 million people was involved in the breach, including birthdays, Social Security Numbers and similar personal details. What’s more frightening, however, is how easily this breach could have happened to any company.

While many breaches occur due to a simple web vulnerability, these are fairly common breaches, as major enterprise software systems often go without updates due to complex patching and release cycles in large IT configurations.

American Banker put the issue into perspective by highlighting that this breach provides enough data to allow hackers to perpetrate identity theft, not just use a person's credit card information. With so much data lost and so many people affected, it is time for organizations to take a serious look at why these types of breaches occur and why certain businesses get targeted.

In many cases, there is a common problem in the form of authentication methods that rely heavily on personal information.

The Authentication Problem

The real issue at hand with modern data breaches isn’t so much that the hacks are happening – attackers have so many opportunities to steal data that they are inevitable in the current industry climate. The problem is that data breaches often lead to the loss of personal details. These information sets are often the same data that is being used to authenticate user accounts on other sites. The result is a cascading breach effect where one incident gives hackers the data they need to steal accounts and keep crime waves going.

Once personal information becomes public knowledge - which happens often as people share personal details freely on social media and hackers sell stolen data on the dark web - traditional authentication methods are rendered useless. Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research, told American Banker that the Equifax incident puts a spotlight on just how problematic longstanding authentication methods have become.

"Financial institutions and other similar businesses that rely on personally identifiable information are being confronted with an environment where all of this data is being bought and sold, fed by these types of events," Pascual told the news source.

It is time for organizations to advance their authentication strategies. They can’t afford to assume they won’t become a target. Bloomberg reported that Equifax has had to triple the size of its contact center staff in the aftermath of the attack. Some experts anticipate class action lawsuits related to the data breach to create damages upwards of $70 billion.

So what can businesses do to avoid a similar event? One of the best steps to take is to update authentication processes to take advantage of multiple types of identity verification. Combining methods based around what users know with details about who they are can help companies ramp up authentication and reduce the risk of data breach. 

Reinventing Authentication for the Digital World

Adopting multi-factor authentication is a simple enough idea. It unifies common security methods to add multiple layers of security. These methods include:

  • What-you-know authenticators - Passwords, personal information and similar data that you know, making them easy to recall and use to unlock access to a service.
  • What-you-are authenticators - Biometrics and similar attributes of an individual that help define who you are and make it easy to verify your identity.
  • What-you-have authenticators - Social security numbers, physical keys, identification cards and similar objects that you possess and therefore can control for authentication purposes.

Individually, each of these authenticators present too many ways to be compromised to work well. Furthermore, two-factor forms of authentication that rely on just one method are similarly problematic. Businesses that want to adequately protect access to accounts and verify user identities for digital transactions need to be able to mix and match these methodologies.

For example, a fingerprint alone is a very secure authenticator, but there are ways to mimic a person's fingerprint to trick a security system. Combining a fingerprint with a password is useful, but passwords are still fairly weak. What-you-are security methodologies are usually better than what-you-know authenticators, but finding ways to blend all three capabilities is essential. CONFIRM™ is stepping in to meet these demands with robust identity management tools.

Our digtial ID authentication technology leverages two things most consumers have: a government ID and a smart phone. This creates a digital link by authenticating the government ID  - something that's officially issued and not self-attested like email based OAUTH - and coupples that with a consumer-captured selfie to compare against the image in the document.  AI-powered computer vision technology then forensically analyzes the document to make sure it isn't fraudulent and capture consumer data on the ID. Organizations typically compare that data with one or more databases to verify a person's identity. Essentially, the technology intermingles all three authentication methods to provide a much more secure ID verification process than what is otherwise available.

Legacy methodologies for user authentication can make a business a target. Organizations that want to avoid a similar event can update their ID verification processes for better user authentication. 

Download our new eBook: KBA: The First Link in a Chain of Cascading Cybersecurity Failures