Experts back multifactor authentication to stem stealth attacks

The 2018 holiday season has been marked by increasingly stealthy and sophisticated attacks against consumers, merchants and financial institutions, security analysts have noted. Bimal Gandhi, CEO at Uniken, a security platform, cited the Marriott Starwood data security breach which just came to light as the latest example of compromised data being resold and exploited at scale.

Marriott International disclosed Nov. 30, 2018, that the data breach may have compromised up to 500 million consumers whose personally identifiable information (PII) had been registered on the Starwood Hotel site. Marriott acquired the Starwood properties in September 2016, making it the world's largest hotel chain. Early forensic reports indicate the breach may have been initiated as far back as 2014, when unauthorized parties allegedly copied and encrypted information.

"Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web," Gandhi stated. "Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well."

Gandhi urged hospitality merchants, banks and ecommerce service providers to move to advanced authentication schemes that can operate independently of PII disclosure. Migrating beyond PII authentication will preclude bad actors from hacking into networks, he advised.

"Invisible multifactor authentication solutions that rely on cryptographic key-based authentication combined with device, environmental and behavioral technologies provide just such a solution," Gandhi said. "By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks."

Beware of 'locked' apps, websites

In his Nov. 26, 2018, blog post, "Half of all Phishing Sites Now Have the Padlock," security analyst Brian Krebs of Krebs on Security reported that cybercriminals have found a way to spoof legitimate ecommerce sites by using website addresses that begin with "https://" and the familiar padlock icon to signal they use the secure version of hyper text transfer protocol. Krebs called increased use of lock icons an alarming shift that dupes Internet users into believing that green locks indicate a website is legitimate or safe.

"In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties," Krebs wrote.

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, agreed with Krebs' assessment, noting the "green padlock" can give users a false sense of security, because they assume it means a website is safe to use. This is not always the case, he stated.

"Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites," Bilogorskiy added. "It does not cost them anything to get an SSL certificate from Let's Encrypt to obtain the 'green padlock'. In fact, Let's Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.