FIDO study exposes rampant phishing threats

Biometrics, passkeys and stronger authentication methods are gaining worldwide adoption, according to a new study by the FIDO Alliance. The third annual Online Authentication Barometer was unveiled on Oct. 16, 2023, at Authenticate 2023, FIDO's annual conference, held Oct. 16 to 18, at the Omni La Costa Resort in Carlsbad, California.

The report's findings were based on a survey of 10,000 consumers in the U.S., U.K., France, Germany, Australia, Singapore, Japan, South Korea, India and China, examining consumer perception of online threats and fraud, according to Andrew Shikiar, executive director and chief marketing officer at FIDO Alliance.

"This year's Barometer data showed promising signs of shifting consumer attitudes and desire to use stronger authentication methods, with biometrics especially proving popular," he said in a statement. "That said, high password usage without 2FA worryingly reflects how little consumers are still being offered alternatives like biometrics, resulting in lingering usage."

Noting that password sign-ins are particularly vulnerable to phishing attacks, Shikiar observed that 54 percent of consumers have seen an uptick in suspicious messages and 52 percent believe attacks have become more nuanced and sophisticated. Following are additional survey highlights:

• Passwords remain prevalent: Manually entering a password without additional authentication was the most commonly used authentication method across all use cases tracked, including work computers and accounts (37%), streaming services (25%), social media (26%), and smart home devices (17%).

• Biometrics gain ground: Biometrics narrowly beat passwords in the financial services category, where 33 percent of consumer adoption compared to 31 percent using passwords to sign in.

• Scams on the rise: AI-powered scams are a clear and present danger across several channels, including email, SMS messages, social media, and fake phone or voicemails. Researchers have noted that generative AI tools are a likely driver of this rise in scams and phishing threats.

AI's dark side

FIDO Alliance researchers noted that AI-driven FraudGPT and WormGPT, which were created and shared on the dark web, are helping to scale sophisticated social engineering attacks. In addition, deep fake voice and video exploits have greatly enhanced emerging attack vectors.

Shikiar pointed out that these highly accessible generative AI tools facilitate convincing and scalable attacks, stating, "it's imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions like passkeys and on-device biometrics more readily available, rather than iterating on ultimately flawed legacy authentication like passwords and [one-time passwords]." 

Ted Miracco, CEO at Approov, agreed that stronger, passwordless authentication can protect against AI-driven cybercrime but cautioned against complacency, noting that stronger authentication methods are not fully immune to attacks.   "If the communication channel between the user and the authentication system is compromised, an attacker can intercept or manipulate the passkey or MFA during transmission and can effectively impersonate the user or gain unauthorized access," he said. "To mitigate the risk of MITM attacks, use secure communication protocols such as HTTPS to encrypt the data transmission between the user and the authentication system."

Miracco went on to say that attested mobile devices using trusted networks for authentication will further reduce risk of MITM attacks. He also recommended using out-of-band verification methods, such as receiving authentication codes through a separate communication channel to add an extra layer of security and make it more difficult for attackers to intercept authentication codes and login sessions.

Passkeys

FIDO Alliance noted that passkeys, which went live last year, offer a secure, convenient alternative to passwords and two-step verification methods. The non-phishable authentication method has been publicly backed by Big Tech brands, researchers added, including Google, Apple and PayPal, in response to growing customer demand.

"When given the option, users want other authentication methods – biometrics is both the preferred method for consumers to log-in and what they believe is most secure, while awareness of passkeys continues to grow," researchers wrote.

Emily Phelps, director at Cyware, emphasized the need for better security practices in the current socioeconomic environment.

"The reality is no single authentication method is foolproof," she said. "Organizations and individuals must adopt multifactor solutions to reduce the risks of phishing attacks. It's encouraging to see an increase in consumer awareness, but awareness alone does not reduce risk. Multifactor authentication is the minimum we should be requiring to defend against social engineering tactics."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.