Could removing human error from the authentication equation stop attacks like WannaCry before they begin? In the May Digital Identity Tracker™, powered by Socure, PYMNTS caught up with Brett McDowell, executive director of the FIDO Alliance, about how biometrics and second-factor authentication are replacing error-ridden, human-generated passwords, and why that’s good news for everyone (except the bad guys). Plus, find the latest Digital Identity headlines and a directory of 111 players in the space, inside the latest Tracker.
On May 12, hospitals in England and Scotland, railroads in Russia, corporations in China and organizations on six continents came to a screeching halt.
A ransomware attack, committed on a piece of malware called WannaCry or Wanna Decryptor, infected computers in more than 100 countries, all told. The software was reportedly built using information stolen from the NSA and demanded payment from users, rendering their computers and networks inoperable without a ransom payment. The attack had devastating effects, impacting operations in hospital emergency rooms and other sensitive environments. The full impact of the attack is still not known.
As governments and experts around the world scramble to deal with the effects of the attack, questions abound re: who (or what) is to blame and how something like this can be prevented in the future.
But the biggest culprit may be human error. According to recent research, 71 percent of breaches occur using passwords that were either weak enough to be cracked by bad actors or stolen from an usually unwitting human via a phishing scam.
This all comes as no surprise to Brett McDowell, who is working with a team of corporations in verticals from financial services to software to take human error out of the authentication equation, as part of the FIDO Alliance.
“When they investigate this latest ransomware attack and how it got started, ultimately it’s malware that somehow got on the device,” he said. “Someone was able to trick a user into doing something to put malware on their device. That was the way in, and once it’s in a network, [the] next thing you know, we’re reading about all these capabilities it has in the news.”
In a recent interview with PYMNTS, McDowell said that the best way to protect against global attacks like WannaCry — or even small-scale breaches — is to stop them before they happen, by replacing authentication details that can be stolen or compromised by human error with credentials that cannot.
Because once hackers get their hands on the information, it’s already too late to stop them.
No Password, No Cry?
McDowell said that his philosophy at the FIDO Alliance calls for a reduction in the types of login credentials that have been popular up to this point. The problems with these authentication methods, McDowell said, is that even the most stringent security systems can be beaten easily if left up to human error.
“Any authentication credential should have some characteristic where the user cannot be tricked into giving it to a fraudster or to any party that would abuse the service, whether it’s an account takeover, a ransomware attack or anything else.” McDowell explained. “There needs to be some element of a credential’s design that can’t be stolen — it can’t be guessed — because there are just too many ways for fraudsters to trick people into getting these credentials.”
Consumers are notoriously bad at keeping their own security secrets, well, secret. Phishing attacks have been around for decades, which is positively ancient by digital standards, but they still manage to hook everyone from everyday consumers to major political organizations into willfully disclosing their passwords to fraudsters. And once fraudsters have a username and password, they can use it to login and take funds without being detected, because of gaining access legitimately via entering a password.
Fraudsters can be so refined at getting people to disclose sensitive information that even security experts and employees at companies working to protect information can be deceived into giving away the keys to a digital city.
“There is a whole industry that will pressure-test a security department’s employees. They will come in, do a fake phishing scam, a fake malware download, a fake password request and see how many people follow through with it. I’ve never heard of a test like that coming up empty, where no one fell victim to it, even at a security firm,” McDowell explained.
Finding New Ways to Fight Fraud
These security flaws, and how easy they are to expose and exploit, may spell the end for the familiar fraud prevention tool of usernames and passwords. Already, consumers are telling researchers that they prefer new authentication methods to these more traditional, familiar verification practices.
To follow through on that philosophy of theft-proof authentication, McDowell said he and his team at the FIDO Alliance have built two types of credentials to replace outdated models. First, there is a biometric option that removes passwords from the authentication process entirely, instead prompting a user to present an on-device authenticator such as a fingerprint biometric. The biometric indicator is not stored on the device, meaning it cannot be stolen by hackers.
For those who still prefer passwords, the second-factor authentication model has a user enter a password much as they typically would have before, but presents a second factor of authentication via a small dongle that is plugged in to the device. A user then presses the button on the dongle to confirm the entering of the password — fraudsters cannot access the information without the dongle, even with a password.
With both systems, McDowell said, the goal remains the same: to take human error out of the equation. With biometrics and a physical second factor of authentication, even fraudsters who obtain a password by getting an employee or consumer to give away their PIN or password would be turned away without the second factor of authentication.
“A typical username and password, where the user decides what the secret is and how to protect it, is called a bearer token. And these systems are designed so if anyone has that bearer token, they can gain legitimate access to a network or sensitive information,” he said. “These systems that we are working on are designed to make it so it takes more than a simple bearer token to gain that access.”
By this notion, could stopping the next global malware attack be directly tied to designing impenetrable defense against even the tiniest of human errors? And is there really any way of stopping international hackers determined to wreak havoc? One thing seems increasingly clear, the password is no longer “password.”
To download the May edition of the Digital Identity Tracker, click the button below…
About the Tracker
The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More