Why Most Used Authentication Systems Are Not Good Enough To Combat Techie Criminals & What Is

May 16, 2019
4 minutes read
Category: Security
Author: Harry Cheung

I’m just going to say it - the security landscape is more vulnerable than ever before. Just check this out - more than three-quarters of users across Asia have experienced some type of online theft.

If that wasn’t enough, Experian's "2019 Global Identity & Fraud Report" found that more than two in five consumers worldwide have already experienced a fraudulent event online at some point in their lives.

From here, it only gets more interesting.

To start with, the world is increasingly going mobile. In 2019, there are a staggering 5.11 billion unique mobile users in the world, up 100 million in the past year, and it’s only predicted to grow from here.

Now, while computer security could definitely be much safer, it’s still far ahead of mobile security in terms of how much research & investment it received over the years. And considering the usage statistics, we can see that mobile is slowly becoming a priority.

With all this in mind, it’s clear that today’s criminals and fraudsters are very tech-savvy while the security measures currently in place fail to stay ahead of them or are simply not good enough.

Still, if they worked well at a point in time, it doesn’t mean that they should just be discarded right away (at least not all of them), but implementing them accordingly is crucial.

Passwords, 2FA, biometrics, and how we can actually stay one step ahead of these techie criminals - let’s go through it all.

Passwords for Authentication Should Have Been Obsolete Yesterday

We’ve talked about it, and many other experts have said it before - passwords, and especially the way in which they are reused across the internet, are ready to call it a day.

Do you know that from 2016 to 2017, for example, the number of data breaches caused by weak or stolen passwords experienced an increase from 63 to 81 percent? These are not meaningless numbers.

Strong passwords are not good enough for today’s standards, let alone the reused, weak passwords regular people use every day. The worst thing is they might not even know their passwords have been compromised, when in fact the criminals could be using their credentials for their newest scheme, credential stuffing in another.

You might have heard about it before, but today’s tech-savvy fraudsters have brought it to a whole other level. They can make login requests appear to come from different IP addresses and browsers which helps to go around security measures that recognize login requests from a single IP address.

Have you checked your passwords? Visit Have I Been Pwned and check if your credentials have been compromised, and while you’re at it try not to get shocked by the number of emails that have been pwned.

It’s time to say goodbye to passwords, but we’ve all know this for a while. That’s why different 2FA methods and biometrics first appeared when it seemed that by increasing the complexity of login processes, the security will increase as well. But, let’s see if that was actually the case.

Can 2FA or Biometrics Stop Tech-Savvy Fraudsters?

You’ve definitely used 2FA at one point or the other, it has pretty much become the standard. It first appeared years ago based on codes sent via SMS which has been proven ineffective time and time again.

Shortly after, other specialized authentication apps and hardware tokens were introduced with the hopes of saving 2FA. However, while in principle 2FA based on one time codes sounds great, in practice it didn’t do so well.

SMS 2FA or the more advanced methods, they’ve all been hacked on multiple occasions. This process has in fact been so successful that an automated 2FA phishing tool was developed.

More importantly, 2FA complicated and prolonged the login process which explains the very low adoption rates among users. In 2018, Google revealed that more than 90% of Gmail users didn’t opt to use two-factor authentication.

Remember, 71% of users prefer an authentication option because it’s easy to use!

What about biometrics? They are very easy to use.

That’s true, but the ease of use of biometrics come at the cost of security, and I don’t think any of us are fine with that.

Fingerprints can be spoofed, face ID can be fooled (at times with only 2D masks) while iris and voice recognition are not quite there yet, although tools to trick these are being developed simultaneously.

So, what can we do?

Layering Security Measures as the Solution?

Implementing multiple security levels as part of MFA just might be the answer. If used, any of the options above should be part of a larger authentication system with the addition of principles of continuous authentication and pattern recognition.

Continuous authentication entails regular checkups during the use of a certain service, and pattern recognition refers to checking authentication attempts against learned patterns which could be the device used or the location from which the attempt has been made.

Of course, just how much you’re willing to complicate your service will depend on the nature of your business. It doesn’t have to be and it shouldn’t be the same for a forum as it would be for FinTech apps.

Take KYC for example. Banks have to identity-proof their customers, but forums? I don’t think so.

However, whichever level of authentication complexity suits your business better, it’s important to know that you don’t have to compromise between security, privacy and user experience. And I’m not talking about blockchain, it’s still not there yet. Other viable solutions are here.

There are many aspects to effective authentication - security, privacy, and user experience, continuous authentication, zero trust security, and the ability to integrate with other solutions. And I’m proud to say we had all of those in mind when designing IPification.

We chose to think smart, not hard, and have built IPification to rely on existing cryptographic data mobile network operators, as a constant in the mobile-first world, already control without the need to actually send any of it.

The only thing the user has to do is tap once to request the authentication. Their data is then checked against their record in milliseconds while IPification keeps working in the background.

Pretty easy, wouldn’t you say?