Psst! Pass it on … Passwords aren’t enough

We’ve had a heck of a summer for data breaches, but the June hacking of LastPass is beyond simple irony. If a password management company fails to protect customer information, what’s it going to take for anyone to get serious about data security? And whose job is it? The short answer is “everyone’s.” But the better answer is it’s time for online organizations – most especially financial service providers – to step up to the available technology and take real action to safeguard the sensitive information they store on behalf of members.

For their part, consumers are catching on that passwords aren’t adequate protection when making online purchases or doing their banking. In fact, only about 30 percent feel confident in the safety of their passwords for online accounts, according to TeleSign’s June 2015 study, Consumer Account Security Report. And in its own study, consulting and technology firm Accenture found that nearly three-fourths of American consumers are open to alternatives to user names and passwords.

What’s the matter with passwords?

Passwords are frustrating and hard to manage, so people tend not to use them correctly. Most opt for simple ones because it’s a hassle to come up with and remember complex character combinations. And the average consumer has 24 accounts, according to TeleSign, meaning 24 passwords to remember. No wonder consumers reuse the same ones over again! Yet, passwords are the low-hanging fruit for cybercriminals wanting to break into someone’s account. And people often help them along by using basic word or number combinations, such as “password” or “1-2-3-4-5.”

The most damning evidence comes from research by Daniel Solove of George Washington University, and Woodrow Hartzog of Samford and Stanford universities (“Should the FTC Kill the Password? New Paper Investigates”) a 2015 report published by the George Washington University Law School. Revealing the flawed nature of passwords the authors say we need better authentication … now.

The staggering rate of data breaches is largely attributable to problems authenticating the identity of account holders, according to Solove and Hartzog. “It is clear that passwords are being used incorrectly in ways that make them a weak security mechanism … understandable given that authentication is needed on so many sites and systems – there are too many passwords for even those with the best memories to remember.”

What should replace them?

It’s well accepted that current password verification methods are weak, but what should replace them?

Some security experts believe biometrics could be the answer to password security, although they aren’t widely available on most commercial devices, partly because of the expense and inconvenience. Plus, biometrics aren’t all that secure against serious hackers. Fingerprints can be lifted and voice recognition won’t work if you come down with laryngitis. Even using your retina is suspect, as the Europe-based Chaos Computer Club proved using high-res photography to hack iris scanners.

Instead, experts say the most realistic consumer solution is multi-factor authentication, using passwords as part of at least a two-step process that includes something you know with something you have. In their research, Solove and Hartzog note that this protocol also can be flexible for organizations needing stronger measures, “the multi-factor approach to authentication can be adapted and made as strong as necessary. Companies could require three authentication factors in some contexts.”

The authors believe the level of authentication should correspond to the degree of risk, noting that high-risk data, such as health records or financial information, would require extra precautions. If organizations that handle consumers’ sensitive data online don’t get serious about security, Solove and Hartzog believe the Federal Trade Commission should step in to require it.

What can we do now?

• Use multifactor authentication with all customer PII. Place multi-factor authentication in front of your online banking platform and integrate single sign-on into the process to add customer convenience and lessen frustration. Then make sure members know it is available and how to turn it on. TeleSign’s survey revealed consumers want better security but 61% don’t even know what 2FA/MFA is. Help members understand the need for it to augment passwords. 

• Explain the difference between authentication and secondary questions. Websites often ask for answers to queries like, “What’s your hometown?” But these “security” questions are not authentication-driven; they just make it easier for tech staff to reset lost passwords. Such a question is actually risky because the answer may be shared on social sites or elsewhere with the response always be the same. Instead, Huffington Post security writer Jeff Fox advises giving questions like “What’s your favorite sports team?” nonsensical answers like “vegetable soup.”

• Choose a service provider that uses best-practice encryption technology. Right now, most business protocol includes encryption in transit; e.g., encoding documents when they are emailed. But if those documents carry sensitive information, they are vulnerable when they reach their destination. Instead, documents with personal data should be encrypted both in transit and at rest. All financial institutions should use encryption at rest for their members’ PII.

• Tell members the differences between types of cloud storage. Consumers fear having their personal information stolen, yet most don’t know how so-called “secure” cloud storage works. Help them understand that traditional, cloud-based services like Dropbox or Google Drive are meant for temporary, run-of-the-mill files – not their PII. Instead, offer them today’s version of a safe-deposit box, such as My Virtual StrongBox^®, which offers data encryption from the moment documents are loaded throughout the time they are stored.

Data breaches are reaching epic proportion, and securing information takes more vigilance and better processes than those used even five or 10 years ago. For financial institutions, whose reputations rest on the integrity of their customer information security, it’s time to get serious and use today’s best-of-breed technology.