One of the things that stands out in Verizon's 2016 Data Breach Investigations Report is that “63% of confirmed data breaches involve using weak, default or stolen passwords.”
The thing is, many of the breaches could have been prevented had a company been using two-factor authentication (2FA).
Authors of the Verizon report wrote:
We are realists here, we know that implementation of multi-factor authentication is not easy. We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea. Even with all of that, 63% of confirmed data breaches involved leveraging weak/default/stolen passwords. This statistic drives our recommendation that this is a bar worth raising.
Figure 16 shows the most common threat action varieties associated with attacks involving legitimate credentials. The obvious action of the use of stolen credentials is numero uno, but we see some other common actions used in conjunction, including C2 malware, exporting of data, phishing and keyloggers.
As Rapid7 Security Research Manager Tod Beardsley said in an email:
The fact that credential-based attacks—those attacks that don't require fancy exploits and vulnerabilities—top this year's DBIR isn't particularly surprising. It's much easier to try common, default, stolen and bought credentials on targeted systems than to run finicky exploits, and the fact is that the old username and password combo still works. That said, it’s so central in the DBIR as a component of both opportunistic and targeted attacks that it underscores the need for organizations to commit to 2FA for those systems and services that are truly critical.
In fact, credential-based attacks have been going on so long, and have been so successful, that I believe that people are ready to adopt 2FA. Just take a look at Two Factor Auth, a successful, community-driven name-and-shame approach to getting consumer-facing businesses to adopt 2FA with integrated social media support and an easy(ish) to use GitHub-based interface for adding new businesses and services.
Half of the people don’t even know what 2FA is
Believe it or not, slightly more than half (56 percent) of polled individuals had no clue what two-factor authentication even is. Although that specific study was commissioned last year by Telesign, a mobile identity solution vendor, it was new to me and really quite depressing.
Those same people do know what a password is, but nearly half (47 percent) rely on a password that hasn’t been changed for five years. Seventy-seven percent haven’t changed their password in over a year; yes, singular, as 73 percent of online accounts are supposedly “protected” by the same password. Fifty-four percent of respondents do have more than one password, but they use five or fewer passwords across their entire online life, or about 24 different accounts. It’s not really comforting to learn that although 40 percent had been victims of a security incident, only 70 percent changed their passwords. It’s unclear how about half of those people can reportedly be worried about online accounts being hacked when they wholeheartedly believe in password reuse.
Anyway, that got me to thinking. Yes, certainly enterprises need to be using 2FA, but what can be done if we drill down to the little guy, regular folks, recklessly going about their digital lives? One place to start might be 2FA for Mother’s Day (May 8).
2FA for Mother’s Day
I heard that groan. Believe me, I fully understand the plethora of questions that an unknown technology can illicit from the technically challenged. I know what it’s like to be that person regarded as the “go to” geek and security freak for any tech-related issues encountered by family and friends.
I’m not suggesting you volunteer to be their 24/7 tech person, or even invest in something like an RSA, YubiKey or some other costly USB token or smart card, but “mom” probably has a smartphone. That alone provides many options, including freebies by Google, Microsoft, Authy, etc. Why not help mom setup 2FA and tie it to her online accounts?
Using a phone as an authenticator is not a perfect security shield—and could even become a single point of failure—but it’s better than just a password, especially if it is not a strong password or is used across multiple sites. Lose your phone, and you’re up the proverbial creek, unless you hand out another phone number as backup, and that’s a can of privacy worms that I probably should have, but have not opened.
I’m not suggesting that setting up 2FA for mom is all you should do, as I realize she might not realize how much more digitally secure she is now, but in the long run it might save you time by preventing future HELP ME calls. Plenty of moms work, so if enough start using 2FA, then they might start asking why it is not used at work. Secure the world one mother at a time. Perhaps 2FA for Mother’s Day is a step in the right direction for more businesses to implement multi-factor authentication?
Just think, Father's Day (June 19) is coming up, as well. You could then do the same for dear old dad. If we can secure moms and dads, then that is a good chunk of the workforce; surely it would trickle down to make changes even in enterprise?