Companies that are compromised by hackers can not afford to shift responsibility to customers for “weak” passwords, says security researcher Yiannis Chrysanthou.
Rather than focussing on something the user knows, like a password, they should focus on introducing multi-factor authentication based on something the customer has, like a smartcard, or something a customer “is,” like fingerprint verification, in order to make credential theft and impersonation much harder.
Chysanthou, who is part of KPMG’s cyber security team, made the comments in response to a series of high profile attacks on internet-based businesses. “Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, they are relatively safe,” he said. “The reality is that we hear of password breaches time and time and again, and this needs to change!”
The problem with focussing on passwords, says Chrysanthou, is that these are often encrypted and stored in a database alongside usernames and emails. Once hackers have stolen and published the database, these cryptographic algorithms are often hacked within a matter of days.
“Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable,” he said.
Despite the data protection regulation being implemented in 2018, 69% of IT decision makers don’t have the backing of their board to achieve GDPR compliance, according to Calligo.
The majority of the region’s 28 member states report that the situation has worsened over the past year, reports business management consultant Verisk Maplecroft.
Regulators in the UK, the US and Hong Kong instituted proceedings against more than 1,700 individuals last year, or four times the number of cases brought against companies.
The US Commodity Futures Trading Commission approved LedgerX as the first regulated clearing house for derivatives contracts settling in digital currencies.