FIDO Alliance Executive Director and Chief Marketing Officer Andrew Shikiar discusses how organisations can build a phishing-resistant authentication platform and argues that the elimination of passwords is the first step…
By Andrew Shikiar
Phishing is the top security threat for businesses around the world. In fact, it is involved in 78 percent of cyber-espionage incidents, according to a report by Verizon. In Southeast Asia, this is especially prevalent where nearly 90 percent of data breaches in 2019 were found to have involved phishing.
What is more worrying is the 350 percent increase in phishing attacks reported by Google in March this year, driven by the pandemic. Amongst these attacks, emails that impersonate authorities, such as the World Health Organization (WHO), stand out. Such scam mails are sent to persuade victims to download software or donate to bogus causes, where attackers then gain access to personal information, and cheat individuals of their cash and savings.
Today’s pandemic allows cybercriminals to take advantage of the situation, capitalizing on the anxiety and fear that the public is feeling. In this period where many people rely on global governing bodies for the latest update on COVID-19 are times where we cannot afford to fail in online authentication and cybersecurity. Businesses and public sector organizations have more to do to guard themselves against phishing attacks.
Phishing attacks are carefully designed to manipulate emotions and tap into victims’ unconscious biases. Cybercriminals often disguise as a trustworthy entity to obtain sensitive information, playing to victims’ empathetic side or natural instincts. One notable phishing attack is the Netflix scam that has surfaced recently amidst the coronavirus lockdown streaming boom. More than 700 fake websites resembling Netflix signup pages were created to harvest personal information.
Cybercriminals create fraudulent websites that imitate the real deal, using similar domain names, URLs, and page design, right down to the payment options. The attack takes place when victims enter their personal data and payment information, unaware of the scam they have been caught themselves in.
The modus operandi of phishing attacks is simple but effective and many people fall prey to it in Southeast Asia. Phishing is continually on the rise in this region, remaining the ‘favorite’ attack mechanism amongst cybercriminals even in 2020.
Credentials, such as usernames and passwords, are by far the most common attribute compromised in phishing. Once obtained, there is nothing stopping the hackers from accessing any information associated with the accounts. This situation is exacerbated by poor password habits. Password reuse is widespread in organizations and employees reuse a password an average of 13 times, according to a report by LogMeIn. This potentially exposes a user’s entire chain of accounts, including organizational ones, which can lead to devastating consequences for his personal privacy and workplace security.
For organizations to better protect themselves against such attacks, they should explore phishing-resistant security, especially one that relies less on passwords for access.
Multi-factor authentication (MFA) is a commonly used technology that adds extra security on top of a password. In MFA, rather than merely requesting for a username and password (a single factor), the user is prompted to provide one or more credentials, such as a one-time passcode (OTP) from the user’s smartphone, the use of a hardware security key, or biometric data like a fingerprint or facial scan.
Microsoft has pointed out that users who enable MFA end up blocking 99.9 percent of automated attacks. But, it is very important to note that not all MFA solutions are the same. While the extra layers of security that OTPs and other common MFA methods provide may seem promising, they do not protect businesses from phishing attacks.
Phishing resistant MFA solutions, especially those built on FIDO’s ‘unphishable’ architecture, ensures that data stays on the user’s device so it cannot be hacked from a server or be used by different online services to collaborate and track a user across services the user has subscribed to. This essentially eliminates the threat of phishing or account takeover, while offering a convenient, hassle-free customer experience.
Businesses should look to phishing-resistant MFA methods as the first step towards reducing reliance on passwords and protecting themselves against phishing. But, as businesses tighten up their authentication security, they need to make sure they are not compromising on customer or user experience in the process. This is especially crucial, as customers are expecting more convenience and less friction when interacting with brands.
The good news is that most modern devices such as PCs and smartphones are coming equipped with technology to provide a good user experience while protecting businesses and customers from phishing and other cyberattacks.
While it may not be realistic to expect entire industries to eliminate passwords overnight, it is no doubt the direction we should steer towards. Opting for “unphishable” strong authentication solutions should be the first step on this journey, with the ultimate goal of doing away with passwords for good.
(Ed. Featured image by Photographer João Jesus.)