Cyber Breach - The Definitive Result of Sloppy Authentication and Mediocre Security Measures

November 30, 2018
1 minute read
Category: Mobile Identity
Author: Ryan Lam

Insecure Authentication Puts Sensitive Personal Data at Risk

When a sloppy authentication process collides with ineffective security measures, the risk of a “cyber breach” becomes imminent. And that is currently the case for the TransUnion credit reporting agency in Hong Kong.

The agency was ordered by Hong Kong’s Monetary Authority to suspend its online credit report services after the reported cyber breach (or the so-called “fraudulently accessed data” incident it claims) and after a newspaper’s investigation resulted in a claim that TransUnion’s customer database is easily accessible by anyone because of a loophole in the authentication process.

TransUnion is responsible for creating credit reports of Hong Kong residents seeking to borrow money or apply for a credit card from banks and businesses. Currently, it handles the data of 5.4 million consumers in the city.

With a security flaw in its database and in its authentication process, as long as you possess anyone’s identity card number, you may be able to access that person’s credit history and other sensitive personal information. This was possible through faking the required details on the online form, and then choosing “none of the above” from the five available options when answering the security questions, which resulted in access still being granted to the requested credit reports.

Such mediocre online authentication may put users’ privacy at risk, since unsavory people involved with identity theft can then take advantage of this loophole to borrow money using these stolen identities.

The Takeaways - Is 2FA the Perfect Medicine?

Critics say tighter security processes involving two different layers of authentication, namely, 2FA (two-factor verification) and OTP (one-time password), should be added into the authentication process.

However, as we have discussed in a previous blog post, SMS-based 2FA solutions are not good enough since there is no fail-safe regarding security. Moreover, they are also unable to offer a seamless user experience.

In today’s mobile-first digital world, online service providers should invest in securing the best, multi-layer authentication option possible to safeguard their database and customers’ personal data. Meanwhile, they should offer such solutions without sacrificing other crucial elements such as operational effectiveness and user experience.

When executed well, enhanced security and user satisfaction can transform into comparative advantages of a company.

Sounds too idealistic? What if I told you such secure and seamless technology is already available?