21 December 2021
The recent GoDaddy data breach was a timely reminder of the vulnerability of passwords and the importance of biometric authentication. The data of 1.2 million customers may have been exposed because an unauthorized person was able to access GoDaddy systems using a compromised password.
iProov has long warned that passwords are not a secure method of authentication: they can be borrowed, or stolen and then shared on the dark web.
This is why biometric face verification and authentication are so important to online security. Your face cannot be stolen – it can be copied (for example, with a photograph or mask) but it cannot be stolen. This means that:
The problem: If personal data is stolen during a breach, it can be used by criminals to impersonate a victim for new account fraud. Criminals can build dossiers of data from breaches – one breach of 1.2m accounts could provide the e-mail addresses and home addresses of those victims, for example, while another breach might also provide their date of birth.
By combining this data, criminals can have enough information to steal someone’s identity and create accounts online in their name. This could involve setting up new bank accounts for the purposes of money laundering or applying for new credit cards or government benefits for financial gain.
How face verification helps: iProov’s face verification technology helps to prevent new account fraud by securely verifying a new customer’s identity during online onboarding. A new customer is asked to use their mobile device or computer to scan their trusted identity document (for example, a driver’s license or passport). They then complete a brief face scan using iProov technology. This face scan is matched against the photo in the document to confirm that the applicant is the right person (not someone pretending to be that person). The face scan also confirms that the applicant is a real person (not a photo or video or mask). What makes iProov’s Genuine Presence Assurance™ unique is that it also verifies that the applicant is interacting right now (not a digital injected attack).
The problem: If a criminal group acquires the data of 1.2m people, they can theoretically use that data for account takeover on a huge scale. This can involve gaining access to those people’s bank accounts or social media accounts to steal money or demand ransoms.
If the criminals have been able to access email addresses and passwords, they can use those credentials to try and break into bank accounts, retail accounts and other sites where that email address and password combination may have been used.
Alternatively, they can access the email account and use that to convince the victim’s bank (or other organizations) to replace passwords, phone numbers and other details with their own, so that they have full control over a victim’s accounts.
How face authentication helps: iProov helps organizations to prevent online account takeover by authenticating users online with face biometrics. Because a customer’s face cannot be stolen, a criminal would not be able to gain access to their account, even if they had an email address or password. Face authentication can be used for primary authentication or as part of a multi-factor authentication strategy; if one factor, such as a password, is compromised, then the iProov biometric factor remains secure.
For example; login details from the GoDaddy breach are leaked on the dark web. A bad actor takes these credentials and uses them on a number of online websites. The first few accounts, they’re in luck: the accounts are not secured with iProov, so the bad actor gains access. However, they then try the user’s bank account. They’re dismayed to find that the bank uses iProov to authenticate each login or for every transaction. The bad actor is out of luck: they are not the right person and real person authenticating in real-time, so they can’t gain access to the victim’s money.
The problem: Data breaches continue to be a global problem because any system is only as strong as its weakest link. If a password can be compromised, then any system that relies on passwords can be compromised.
How face authentication helps: If systems are protected using iProov’s face authentication technology, either as primary authentication or as part of a multi-factor strategy, then criminals cannot gain access.