The standard password has never been less effective or more susceptible to attacks. But some of the U.S.’s leading corporations say they’re also not ready to get rid of it.
Las Vegas, Nevada — Businesses knew that passwords were dead long before the theft of billions of user credentials from Yahoo! and information on more than 140 million people was stolen from Equifax. But for technical executives at some of the U.S.’s leading corporations, the twin events are serving as a long overdue coda for the technology world’s first swing at security: the simple password.
Still, executives speaking at the Akamai Edge Conference* here said that the much maligned password won’t be abandoned any time soon, even as data breaches and follow-on attacks like automated “credential stuffing” make passwords more susceptible than ever to abuse.
“We reached the end of needing passwords maybe seven years ago, but we still use them,” said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. “They’re still the primary layer of defense.”
“It’s hard to kill them,” noted Shalini Mayor, who is a Senior Director at Visa Inc. “The question is what to replace them with.”
This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called “credential stuffing” techniques, which use automated password guessing attacks against web-based applications.
Disruptions in the Force
Behind those attacks are even bigger hacks, like those against Equifax, Yahoo!, and others. Large retailers and other vendors often perceive what Patrick Sullivan, the Director of Security Technology and Strategy at Akamai likened to a “disruption in the force” well before major breaches are disclosed as stolen credentials from other vendors are used to try to break into their own system.
Mayor said Visa often sees a spike in one-off user and password combinations from recently leaked data troves long before breaches are disclosed. “Its been something where we do start to see signs of a targeted attack where those numbers (of failed log ins) start to go up,” she said. The firms all said they had seen a jump in credential stuffing and related attacks this year as a result of the major breaches.
Attacks have also shifted in recent years from small “mom and pop” shops to mainly electronic attacks against much larger organizations including Target, Home Depot and Equifax, said Lee Gould, the Director of Global Fraud Management at Sony Interactive Entertainment.
Signal fades into noise
Over time, the sheer magnitude of credentials spilled from so many different sources has made it nearly impossible to determine the origin of data used in credential stuffing attacks. “It’s been packaged so many times, there’s no longer a pure signal of a breach that just happened,” she said.
That makes it harder, for example, to identify breaches based on their “point of origin”: a common point of activity or interaction that ties together victims, said Winterfeld of Nordstrom’s
Even when password guessing attacks are not successful, they can still be disruptive. John Barrett, a Principal Technology Risk Analyst at Fidelity Investments said coordinated credential stuffing attacks against Fidelity’s brokerage clients can lead to widespread account lock-outs for customers. That, in turn, can direct thousands of customers to the company’s support lines in a short period, overwhelming them.
“We’ll have two thousand or three thousand customers using voice channels, and that creates a backlog of an hour, which does a different kind of damage,” Barrett said.
Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani said Visa is “looking at” biometric technologies like Apple’s TouchID as a tool for making payments securely. Such technologies – from fingerprint scans to facial and retinal scans – promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.
What about biometrics?
Akamai presented advancements in using data from mobile devices to provide a strong second factor, including noting finger movements and gyroscope data on mobile phones to develop uniquely identifying patterns. But executives worry that such approaches could prove fallible. “The things we struggle with is that phones are being used as second factors, but phones aren’t security devices,” said Winterfeld of Nordstrom. “Building on that platform is inherently frustrating.”
Lee said the key is to save the most secure but “high friction” technologies like biometric scans for where they are the most needed. “Imagine having to do a retinal scan every time you log in,” she said. Instead, Sony is focusing on trying to insert “friction at points” that make sense – like around payment, high value transactions, money transfers and so on.
(*) Security Ledger is partnering with Akamai Technologies to provide coverage of the Akamai Edge 2017 Conference in Las Vegas.