Make the internet safer: stop using passwords

(Leon Seibert, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Ori Eisen, Founder and CEO, Trusona

This article is not simply meant to be read. It is meant to be read and acted upon.

I am here to recruit you.

I have dedicated my life to fighting online crime. One day, while serving as the worldwide director of fraud at a leading bank, I asked the questions: “Where does the stolen money from cyber breaches go? What is it being used for? And by whom?”

I learned the answers. And once you do, you cannot sit by and do nothing. You must take action. Money stolen over the internet funds nefarious activities: child exploitation, human trafficking, narcotics, weapons and terrorism.

We must protect online businesses to ensure this money doesn’t end up in the hands of criminals and rogue nations. Unfortunately, current cybersecurity solutions are just not cutting it. We continue to see rapid acceleration of breaches across all industries.

The biggest attack vector being exploited by cybercriminals is compromised credentials. It is time to move on from the static credentials that were invented in the 1960s and that make life too easy for the bad guys, and to instead introduce a new way of thinking about authentication and identity protection.

The problem

Throughout human history, weapons have been developed for attack and defense. If you wanted to defend yourself from an attacker using bows and arrows, you used a shield.

But what do you do when the attackers are more powerful than your defenses? Inability to protect yourself will surely lead to your demise. Weapons are only effective until new technology renders them obsolete.

The internet is no different. Computing was not designed with very strong security in mind. In the early days, username and passwords were very useful. They were used to help grant network access for academic research – not to protect multimillion-dollar wire transfers.

The lock on your front door is ‘good enough’ to keep your neighbours from waltzing into your home. Username and passwords just help keep honest people honest. They are not helpful against targeted attacks, which begin with a breach of all the passwords stored by an organization.

What if there is a master key available for $1 that can open your front door – would you worry? Would you admit to yourself and others that your security is not OK? Most importantly, would you do something about it?

We now conduct almost every aspect of our lives online. Yet the security measures in cyberspace have not evolved commensurately with the threats. Incredibly, 99% of sites still use username and password as the first and often last line of defense.

In 2018, 3.6 billion identity records were compromised – that’s 20% more than the previous year. More than 14 billion identity records are available online and through the dark web. Chances are, the $1 key to open your online accounts is out there.

What are the implications of using passwords?

This article is not intended to alarm you. You’ve already have seen the headlines. When a company is breached by cybercriminals, the soft costs are customer trust, brand reputation and customer loyalty. The obvious, hard costs are things like breach investigation, credit monitoring, customer attrition and legal fines.

But even without breaches, some of the costs of using passwords are often overlooked:

1) Call center calls about forgotten passwords

2) Services for resetting accounts

3) Losses attributed to weak passwords

4) Losses attributed to fraudulent password resets

5) Losses attributed to malware or breaches in which passwords are stolen

So what can we do?

Many companies started using multi-factor authentication solutions, only to realize the bitter truth. Using solutions such as SMS one-time passcodes (OTP) to protect data and networks can be circumvented. The crooks easily take over your phone line by convincing the telephone company they are you; the FBI recently issued a warning about this technique.

Not all multi-factor authentication solutions are created equal. To the perpetrators of this kind of attack, SMS can be nothing more than a turnstile in the middle of the desert; they simply go around it.

The solution

What if we were to remove static passwords from the security paradigm altogether?

What if each time your account is used, you need to affirm that it is you on the other end?

What if your affirmation was uniquely wrapped, so it cannot be used again by any perpetrator?

What if we never used static passwords again?

This would solve the real problem and kill two birds with one stone.

1) More secure

By ridding the world of passwords, there will be no incentive for crooks to steal passwords. Malware that steals passwords will lose its power, as passwords will have no value. By affirming it is really them on the other end, users can play a part in their own security. Users will know each time their account is accessed, and affirm or reject the transaction.

2) More convenient

By ridding the world of passwords, users will no longer be required to remember passwords, make them longer and complex, nor change them. Password resets will be a thing of the past.

In the US alone, 96% of people have smartphones. So why are we not utilizing these mini-computers that have become an extension of our identity in our pockets to improve our security? Users can leverage this readily available technology to authenticate themselves more securely.

We can fight fire with fire, and use technology to raise the bar for online criminals. Enough is enough. Let’s reclaim the security of our identities. The cost of doing nothing has shown its ugly face.

I am here to recruit you to put a dent in the universe. Heed the call and join the ‘no passwords’ revolution.