The Myspace hack shows the fallibility of passwords and the dangers of complacency
The need for 'attack-aware' protection on digital platforms
Social media is now a fundamental part of how we behave as a society, and for those of us of a certain age, and I certainly fall into this category, it all started with one platform. Back in the early 2000s long before Facebook and Twitter, Myspace was the platform of choice and at its peak had 100 million monthly users. However, its popularity quickly declined after Facebook and other social media channels gained traction. Many users abandoned their Myspace profiles but never actually closed them down. Earlier this month those users who had neglected their orphaned accounts had a bit of a nasty shock.
In the last couple of weeks, hackers have put more than 360 million Myspace accounts up for sale in a 33 gigabyte dump online of a vast leak of personal details that included passwords, email addresses and usernames. While many of these accounts have been left stagnant for years, the danger is that many users have kept the same password for lots of different online accounts. This includes financial accounts where many are still using the same password they were using at the peak of Myspace’s popularity.
Better omni-channel password security
Earlier this year credit checking agency Experian revealed that bank customers who use the same password for online shopping accounts, phone apps and other services are unwittingly fuelling a spike in current account fraud. Using the same password, or even similar variants of one password, for multiple services makes things infinitely easier for criminals, which can end up putting us in their crosshairs.
The answer, particularly for digital banking and financial services, is to adapt the security format to something that’s better suited to the modern customer. If we know that customers will likely be using an identical or very similar password for multiple accounts, then we need to take that into consideration when ensuring that their finances are kept secure.
A progressive security framework
The solution is to implement passwords as part of a progressive security framework. Such methods give customers control over what security methods are used and when, increasing levels of security and credentials based upon the risk of the transaction. So, checking a balance could be done with a biometric fingerprint scan alone, while making a payment to an existing payee may require an additional password or PIN.
Additionally, it’s not just the point of access that financial services providers need to worry about. What the Myspace hack shows us is the inherent fallibility of a perimeter-focused approach. Hacker’s only need to get past the password to get access to an account, and they then have free rein to do as they please. More often than not, financial services providers have no method of detecting or dealing with a threat once it’s inside the account or banking system.
Detecting and protecting against security breaches
Intelligent Environments is looking to tackle the problem with Interact AppSensorFS, the world’s first ‘attack-aware’ run-time application protection, which monitors user behaviour to detect a possible security breach, and tackling it. Recently we have entered into a new partnership with Queen’s University Belfast, to incorporate the institution’s Centre for Secure Information Technologies’ research into cybersecurity and artificial intelligence within Interact AppSensorFS.
It’s time for us all to move on from the password to adopt a more sophisticated approach to security. It’s simply not good enough for the financial services industry to still be using the same methods Myspace used back in its heyday. Even if password requirements are becoming more complex, we need to be ensuring that they are deployed as part of a system that puts control over security in consumers’ hands, and can respond and deal with threats if the worst does happen.