Hacker and online security concerns rise

27 August 2021

Nicole Lin, managing director of Synology UK

Nicole Lin, managing director of Synology UK

With online services growing at an exponential rate, requiring us to change our passwords every six months, we must explore our approach to identity authentication and password management in the long run..

Before 2020, remote working was a perk to employees. One pandemic and global lockdown later, led to the entire world scrambling to get to grips with Zoom meetings, cloud storage and VPNs, plus fast-tracking long overdue IT skills updates.

In this global rush to working remote, handling security particularly in the cloud has been a challenge. Smart security providers have sensed an opportunity to market sophisticated tools to protect network infrastructure, and these tools serve a vital purpose. Advanced security gateways, for example, inspect every packet entering your network flagging any potential threat.

Now with that disclaimer in mind, let’s address the elephant in the room namely, these tools are like a castle built on shaky foundations if IT admins leave the humans in the organisation to their own devices when it comes to security. Verizon investigation report on data breaches puts things into perspective: 61% leverage credentials. So where have things gone wrong?

Let us put ourselves in the shoes of a hacker. What will require the least amount of effort to breach an organisation’s security? Rather than spending hours identifying a system’s vulnerability to hit a target with ransomware, “guessing” a password is just as easy and allows entry without creating a fuss.

It is important to consider all aspects around passwords. We are told, reminded, encouraged to make passwords complicated. “123456”, anything containing your date of birth, names etc… are too obvious and constitute a risk. Increasing the complexity by making it longer, including special characters, is the logical solution. However, unless one has an eidetic memory, the temptation is great to re-use the same password for Gmail, Windows, Salesforce, Twitter and once one account is cracked, your whole privacy is at risk.

This shows us one thing: passwords have served us well, but an arms race with hackers is not going to end well for corporations without a change of strategy.

So, from an individual’s perspective, how can password complexity be enhanced with a growing number to remember as we use ever more online services?

Password vaults are a first step, as they also allow us to generate strong, secure passphrases. But the more cynical of us will simply see this centralisation as a single point of failure: gain access to the vault, and every single account is then compromised.

This needs to be combined with a consistent use of multi-factor authentication methods. The concept is quite simple, with unauthorised logins being prevented by adding an extra layer of checks to ensure you are the right person. This is typically another device such as your phone, to which a one-time passcode is sent, and you need to enter within a short period of time to confirm you are not a hacker. Security can be pushed even further with “something you are” in the form of a biometric identifier. Smartphone fingerprint recognition is the most common example.

With two-factor authentication increasingly common in the tech industry, from Gmail to Amazon accounts, one would think hackers would soon be running out of options. Well humans are remarkably creative, and to impersonate you and “something you own”, you may have heard of “sim-swapping”: Here a hacker fools your mobile provider into switching your SIM card information to a different phone and the hacker is then able to access your verification code.

Since passwords will always present a certain level of vulnerability, the logical conclusion is to move beyond them. Which is what came from a meeting between PayPal and Validity Sensors back in 2009 where when discussing the use of biometrics for identification of online users, it appeared clear that the first bricks for an industry standard would be needed. This would soon become the FIDO alliance, for Fast IDentity Online.

The concept is simple enough: contrary to passwords where authentication is initiated by the user who sends information to the website’s servers, the FIDO approach is device-centric, with no personal / biometric information ever leaving the user’s device. This is achieved by using a public-key cryptography model. When registering to a website, a public key is provided rather than a password. Later, when the user wishes to log in the website’s server will initiate a challenge to the user’s device, which can only be solved using the private key which was kept on the device. Security is further enhanced by ensuring that the public / private key is issued for the website in question. Importantly, this removes the threat of phishing scams where a fake website, visually similar to a mainstream one, is used to collect a customer’s credentials without their knowledge.

The staggering growth seen since last year in the use of malware, up by 358%, as well as ransomware, up by 435% shows how essential it becomes to spread best practices around online security, be it by standardising extra password complexity and 2-factor authentication, to a more fundamental shift in attitudes with the adoption of public-key authentication methods. To accompany this shift in attitudes, websites and platforms, as well as manufacturers of servers, must make these safer authentication methods available.