As security professionals, we have a bit of a reputation for melodrama. A breach happens, we make a lot of fuss for a few weeks, and then we quickly move on to the next topic dominating our news cycles. Even when a breach seems pretty dire to a particular company and its customers, it's usually not the 'end of days' that we often predict it will be.
However, we’ve noticed that after last year's high-profile breach of Equifax, a small handful of companies haven’t moved onto the next news cycle and are keeping their information security and fraud teams working overtime on one specific area with no end in sight - authentication and user verification.
Why? Because today’s processes for authentication and user verification are fundamentally flawed.
While traditional mail services like the United States Postal Service are sometimes used in heavily regulated industries, such as financial services, to identify a user by sending documents to their address, it introduces another involved step to the authentication and user verification process that creates friction. When I was at PayPal, I used to like to joke that the "F-Word" was really "friction" - something online businesses strive to aggressively reduce.
Because of this, most commercial approaches to identity verification are instead based on having some set of information about you that's theoretically easy for you to verify, but hard for anyone else to guess correctly. The problem is that, following the Equifax breach, there is now no information with those characteristics for roughly 50% of the US population.
This leads to higher false positive rates, where criminals can access accounts illicitly, and higher false negative rates, where legitimate users are denied access to their accounts. We've already started to see examples of the latter in significant numbers. For instance, if you want to register on healthcare.gov under the Affordable Care Act, your identity will be verified via a credit bureau. However, if you've frozen your credit file due to the Equifax breach (which is the recommended best-practice), you'll find yourself jumping through a lot of hoops before you can establish your account and get coverage.
It's the false-positive problem that has had information security and fraud teams working overtime for the last several months. Market leaders are attempting to review every single business process involving authentication and user verification to see whether they are solidly defined or if there are systemic gaps. Everyone else seems to be mostly just pretending that life should go on as usual as the Equifax news cycle winds down. They move on to the Facebook breach, or the Panera Bread breach, or the Delta airlines breach, or… you get the point.
In the long term, these problems are structural, and the solutions are structural too, but the issue is that it will require governments to "belly up to the bar".
In the real world, if you want to drive a car or board a flight, you must provide government-issued documentation that asserts your identity and your authority to do those things. There have been some experiments with governments verifying identities electronically in so-called “e-government” pilots, and there's little doubt that this is the real solution to the problem. However, it would require a consensus both on the "business models", through which governments and businesses would interact, and on a set of open standards that could be used for the purpose. NSTIC was the most recent attempt in the US to provide a framework for this, but it’s fair to note that NSTIC has not been a huge success and has lost most of the momentum that it once had.
Having twice led open standards organizations, my own expectation is that it would take five or ten years of effort to sort out - assuming the will to put together a process like the one described even exists. I personally believe we must do this, but I also fully accept that there is little evidence of it starting to happen yet.
Instead, and on a more tactical basis, I will close here with several specific calls to action:
- Make sure that you do a realistic risk assessment of your authentication and user verification processes to ensure that you understand whether or not those processes are still suitable. Given the current reality that most user verification data sources should be considered tainted, ensure that the recent (Equifax) breach is factored in.
- If your risk profile has changed, then start work re-engineering the affected processes.
- While you are at it, don't forget to look at your application and security infrastructure to determine what your exposure is to automated / bot attacks. This is one of the primary mechanisms that criminals will use to exploit the weaknesses discussed in this blog using credential exploitation. If you use a legacy web access firewall (WAF) solution that claims to have bot protection features, don't take them at their word. Be sure to verify vendor claims thoroughly, as in our experience these are largely brochure-ware and trivially evaded by attackers in real-world attacks.
- As a shameless plug for Stealth Security, I will note that our solution is specifically designed to detect bot activity attacking your web presence, and bots tend to be one of the main attack tools whereby criminals will abuse stolen identities.
Interested in learning how you can protect your web applications, APIs, and mobile applications from automated attacks and unwanted traffic? Get in touch, and we’ll demonstrate how Stealth Security helps some of today’s largest organizations in the retail and finance industry detect and mitigate bot activity.