[BreachExchange] What data breaches teach us about security procedures

Destry Winant destry at riskbasedsecurity.com
Fri Apr 17 10:26:00 EDT 2020


The last decade saw countless data breaches with the personally
identifiable information (PII) of millions exposed and sent into the
realms of the dark web. But while organisations may face fines and
reputational damage over lapses in cybersecurity, and consumers could
see losses of all kinds, the impact of a data breach doesn’t stop

The recent attempted cyber attacks on Tesco and Boots’ loyalty card
schemes show us exactly why. With both of these instances, hackers
attempted to use stolen credentials (i.e., usernames and passwords)
that had been used on other websites to gain access. This is called
account takeover (ATO) fraud, whereby hackers use legitimate, yet
stolen, credentials to gain access to an online account. What’s more
worrying is that bots are now capable of performing upwards of 100
attacks per second, making it easier and faster for fraudsters to
commit ATO fraud on a massive scale.

While both retailers managed to detect the breach before any accounts
were accessed, it begs the question as to whether the traditional
password/username combo is strong enough to withstand the onslaught of
more sophisticated cyberattacks and credential stuffing attacks. A
recent study by Google found 66% of those polled said they use the
same password for more than one online account, with the average user
having 7.6 social media accounts.

This bad password hygiene can be detrimental to a whole plethora of
organisations, even if they weren’t the ones hacked in the first
place. With so many people using the same usernames and passwords for
many of their accounts, and a rise in data breaches, companies are all
at risk from the lasting impact of cybercrime.

Outdated methods simply won’t cut it

Knowledge-based authentication is inherently weak, with hackers able
to find potential answers to security questions through social media
feeds and even more readily on the dark web. In recent years,
SMS-based two-factor authentication has become the norm for securing
online accounts such as email clients against cyber hijacking and they
are clearly an improvement over the password only defense.

However, there have been a few notable attacks where hackers have
hijacked the SMS message system via man-in-the-middle attacks. In
reaction to the recent cyberattack attempts, Boots stopped cardholders
from being able to spend points, Tesco stopped all account access and
both retailers also reissued cards. While this attempt to mitigate the
damage is important, these moves don’t quite go far enough as these
measures are still reliant on the same vulnerable methods of
authentication that got them into this position in the first place.

Account takeover fraud often leads to huge financial damages for
companies but also reputational damages. Technology has made this kind
of fraud much easier to implement as often these attacks happen using
credential stuffing where hackers use a list of usernames and
passwords to access accounts through large-scale automated login
requests, usually leveraging bots.

This wide-reaching way of targeting companies means that there is an
8% chance of a successful attack. Once one attack is successful, they
are also more likely to be able to take over other online accounts
using the same login details.

Looking to the future

Instead of just reissuing cards and blocking accounts, companies need
to put more stringent security measures in place to protect their
customers from being victims of crimes of this nature. Face-based
biometrics is now a viable, and more secure alternative to these
traditional forms of user authentication. This kind of verification
and authentication method provides far greater protection against
account takeover than traditional passwords. At enrollment, the user
starts by capturing a picture of their government-issued ID and then
takes a corroborating selfie.

This is compared to the picture on the ID to ensure the person is who
they claim to be when creating new accounts online. During the
selfie-taking process, the frames of the video selfie are then
reconstituted to create a 3D face map containing over 100 times more
liveness data than a 2D photo. Now, when there is a risky transaction
(e.g., a high value transaction or even a password reset), the user
just takes a fresh video-selfie, a new 3D face map is created, and
instantly compared to the original 3D face map for an instantaneous

Obviously, this type of biometric-based authentication is far more
reliable and secure than a simple password and prevents any
third-party from taking over an online account.


In this day and age, where so much personal data is available, the
traditional authentication processes used to protect customers and
businesses are vulnerable and a mere inconvenience for hackers who
want to access an account. Turning to face-based biometric
authentication procedures is the only way organisations can truly
protect their ecosystems and customer accounts.

More information about the BreachExchange mailing list