Many financial services firms stopped kidding themselves about passwords a long time ago
"The march toward really effective user authentication has taken much longer than it should have. And that is true for all industries.
Just last year about 85% of data breaches were enabled by compromised passwords. Most attacks were external, but nearly 25% of them came from inside the organization.
Early replacements for passwords or methods of fortifying passwords helped for a while, but fraudsters quickly found ways of getting around them. In fact, the relentless ingenuity of cybercriminals in spoofing new security measures continues to frustrate firms that are still attempting to cope with what I would call half-measures..."
It's hard to imagine that not that long ago there were articles everywhere on how to devise effective passwords
"How to manage them, protect them, remember them. It's no longer effective to follow any of these strategies. Experts estimate that nearly three billion credentials have been compromised in just the last few years. Considering how unwilling most organizations are to discuss a breach, we'll never know the extent of the damage these hacks have caused..."
We, as security practitioners, need to be mindful about what we mean when we say '2FA' or 'MFA.' These terms are often used interchangeably
"The confusion is understandable, since 2FA is a subset of MFA. However, just like Halloween candy, MFA (including 2FA) comes in many flavors. Let's unpack these terms and consider the various options.
MFA offers three factors to prove identity, plus additional attributes to further support the claim:..."
Motherboard posted a well-researched piece recently on hackers who have been exploiting the SS7 protocol in telco networks to pillage bank accounts in the UK
"As someone who advises banks on mobile biometric authentication, I can attest to the article's accuracy. The writer not only got the facts straight, he did a masterful job of conveying the attitudes of the institutions involved. Reading between the lines of their terse statements, I saw the usual surprise, chagrin and feelings of 'why us?'
But in fairness, defending a bank, healthcare organization, online retail business, etc. against determined and capable hackers is difficult. At best, it's a running battle. We will continue to see occasional setbacks..."
See all Archived IT - MFA articles
See all articles from this issue