Why it's time for companies to stop using PINs and passwords
Passwords and PINs are now more vulnerable than ever.
RELATED TOPIC: 3 ways your business can improve its cloud safety
While these breaches highlight the vulnerability of the traditional password and PIN — which were developed over 50 years ago — they also show that knowledge-based authentication is becoming antiquated in today’s world of connected smart devices and even smarter hackers.
With increased pressure on these traditional security methods, organisations need to re-assess the processes and solutions in place to prevent security breaches and make their customers’ lives more convenient.
RELATED TOPIC: 4 cyber risks your financial sector should be prepared for
Here are some ways PINs and passwords are compromised:
Brute Force Attack
The four-digit PIN is one of the weakest security credentials, due to the ease in which a malicious user can compromise a system without the need to possess any technical knowledge, or any knowledge of the legitimate account holder.
The vulnerabilities of PINs were revealed by a 2012 DataGenetics study which showed that 10.7 per cent of four digit PINs are “1234”. This means a fraudster would only need to conduct an average of 10 attempts to compromise an account. Additionally, as revealed by the Adobe breach, passwords don’t perform much better, with the top 5 user passwords including ‘123456’ or ‘password.’
Although organisations can block the most commonly used PINs and passwords, the DataGenetics study also revealed that beyond sequential numbers and repeating numbers, people tend to select PINs where the numbers form patterns on the keyboard, or where the number represents a date that is significant to the caller. This PIN selection behaviour by legitimate account holders render brute force attacks quite effective.
Compromising the Database
A PIN or password, like any other knowledge factor used for authentication, is stored in a database. If the database is compromised, a malicious user has unlimited access to accounts. Although properly designed systems have numerous security measures in place, there are many documented cases of breaches occurring.
Some cases involve hackers finding ways to bypass the security measures. Other cases involve employee error, for example an erroneous transfer of PIN credentials through e-mail. No matter how the PINs or passwords are compromised, once in the hands of a malicious individual, the potential for large scale financial losses are enormous.
Phishing is an ever-increasing technique that malicious individuals undertake to compromise credentials, such as PINs and passwords via email and social media. Industry statistics indicate a mass phishing attack yields a 5 per cent data collection success rate, meaning that if 100 e-mails are sent to collect PINs, a hacker will on average collect five valid PINs.
However, if the malicious individual conducts a spear-phishing attack, the success rate can reach 19 per cent. As such, phishing attacks are one of the preferred choices by malicious individuals to compromise systems that are protected by PINs and passwords.
Calls centres typically use a series of knowledge questions to verify a caller’s identity. If the caller answers the questions correctly, the agent considers the caller’s identity validated and any transactions can then take place.
However, many of the answers to the security questions asked by call centre agents can be easily found on the internet. A moderately sophisticated hacker can find the answers to the majority of security questions by accessing social media sites, such as Facebook and LinkedIn.
Collecting this basic information about an individual online makes the task of guessing answers to security questions easy, as was shown by a study at Carnegie Mellon University in 2009. It demonstrated that typically used security questions are vulnerable; in some cases they can be guessed with 48 per cent accuracy.
Amobee Appoints Nick Brien As CEO
In its latest strategic move, Amobee—a global multimedia advertising leader—announced that Nick Brien will be its Chief Executive Officer. The company is entirely owned by Singtel, Asia’s leading communications technology organisation, which provides consumers with mobile, broadband, and TV and businesses with data hosting, cloud, network infrastructure, analytics, and cybersecurity tools.
Brien, who has worked for Microsoft, Intel, P&G, and American Express, will take over to drive the next generation of advertising tech. Said Evangelos Simoudis, Chairman of the Board of Amobee: ‘Nick has the deep expertise in advertising that we need to seize the market opportunities ahead’.
How Did Brien Get Here?
Before joining Amobee, Brien led 15,000 people across 40 divisions as CEO of the Americas for Dentsu International. For thirty years, he’s helped brands pilot unique advertisements, keeping up with the latest trends. He’s served as CEO of McCann Worldgroup, global CEO of IPG Mediabrands, President of Hearst Marketing Services, and CEO of iCrossing. Over the course of his career, he’s consistently strategised how to keep up with digital shifts. Now, he’ll capitalise on Amobee’s legions of experienced data scientists and developers.
‘I’m excited to be joining Amobee at such a transformative time in our industry’, Brien explained. ‘We’ll pilot advertising accountability and intelligent decisioning. And there’s no doubt in my mind that optimising media performance—whether you’re targeting, planning, buying, or delivering—can only be achieved using applied science, machine learning, and data analytics’.
What Does This Mean for Amobee?
Amobee is set on growing its personal brand within the advertising sector. As APAC social media influencers, Gen Z growth hackers, and viral content producers start to enter the field, established companies will be working doubly hard to keep up. Amobee, however, is still looking good. With a Gartner Magic Quadrant for Ad Tech, a Forrester New Wave recognition, and now, Nick Brien as CEO, the firm is set up for success.