May 19 2023
As organizations digitally transform to expand access to online services, the challenge moves from enabling access to protecting people from cybercriminals. Threat actors are continually developing, using enterprise level tools and techniques in evermore sophisticated ways to circumvent the security systems protecting them.
Unfortunately, many organizations make a crucial cybersecurity mistake: they pour resources into commoditized security methods, constantly reacting to breaches and compromised credentials rather than future-proofing through preventative measures.
Today we’re speaking with Matt Welch, iProov’s Head of Threat Intelligence. Matt has an extensive history of leading and consulting global Threat Intelligence departments, following 16 years of service in the Canadian Armed Forces. Now, at iProov, Matt studies the evolving biometric threat landscape and the threat actors behind them, while developing frameworks to combat threat types.
We sat down with Matt to better understand the macro state of cybersecurity in the first quarter of 2023.
Q: Matt, what trends and evolutions have you seen in cybersecurity so far this year?
A: There has been a change in tactics observed from one prolific threat actor, the group that has been dubbed Scattered Spider by Crowdstrike. Interestingly, they’re changing their focus to phishing – particularly phishing emails and phishing domains. Phishing is a common and long-established form of threat – which aims to induce individuals to reveal their personal information – but it’s still remarkably effective against organizations that are reliant on credentials for information security. You can read more about this trend in crowdstrike’s latest report here.
The key point here is that threat actors realize credentials are still the low-hanging fruit. And often, they don’t even need phishing; threat actors can easily gain compromised credentials, as many are already scattered across the darknet. They can then use credential stuffing attacks to see what other accounts they can gain access to with this information.
The conclusion here is that because many organizations use multi-factor authentication protocols now, the other authentication types – “something you own” and “something you know” – will naturally come under fire after credentials are stolen. If an organization employs multi-factor authentication (MFA) and threat actors are harvesting credentials through phishing, logically, the other authentication factors will be attacked next.
That is, in part, why biometric technology has become essential: although you can collect and share compromised credentials easily, you cannot capture and use the genuine presence of someone’s live face. So the good news is that “something you are” can be incredibly hard to break, unlike “something you know” or “own”.
Q: So, Matt, credentials are under threat from a renewed focus on phishing. What can be said about the other authentication factors?
A: Yes, threat actors are currently focusing on credentials. But as more and more organizations implement multi-factor authentication, they’ll turn their gaze toward the other factors used to secure MFA.
But a larger point here is that MFA protocols secured with “something you own” factors, such one-time passcodes (OTPs), are not a long-term solution. Cybercriminals have defeated these traditional verification technologies, which has led to the commoditization of what were once deemed secure options (you can read more about the risks of OTPs here, for example).
OTPs are a step up from passwords and often offer a higher level of security than credential-based authentication. However, possession-based factors are increasingly susceptible, and can still be stolen or intercepted. It’s no silver bullet.
More widely, I would say that overreliance on both credential and possession-based authentication has led to a vicious cycle in which organizations are stuck in a state of reaction and detection to threats rather than prevention, creating an “industry” of administrative burden in information security.
Q: Matt, what can be done to combat threats to authentication systems?
A: Generally, organizations are too focused on what hurts them right now – they’re constantly putting out fires burning due to weak passwords and possession-based authentication, so information security professionals are too busy (or don’t have all the information they need) to realize there’s a much better way.
Biometric technology offers a better approach to security. There is a unique efficiency in adopting a mature and reliable product that assures the genuine identity of a remote user.
Cybersecurity can be broken down into preventive and detective controls. Cybersecurity has traditionally focussed on detective controls, which are incredibly expensive.
Think of it like this: it’s the difference between paying someone to walk around your building to see if anyone has broken in, versus simply locking the door. In this analogy, biometrics is the lock – stopping the vast majority of your problems at the earliest stage. In that sense, iProov technology is the ultimate preventative measure.
Additionally, the cost of a mature cybersecurity capability system in a given organization is astronomical; elements such as a Security Operations Centre (SOC), staffing, incident response, outsourcing, APIs, integrations, and threat intelligence platforms all add up. But the cost of a resilient biometric liveness solution is much lower.
iProov offers the iProov Security Operations Centre (iSOC) as part of its biometric solution. Through iSOC, iProov monitors traffic in real-time to detect attack patterns across multiple geographies, devices, and platforms. iSOC provides the depth of visibility and the breadth of control as though you were developing your own in-house technology, with the advantage of no additional overheads. All solutions are supported, enhanced, and upgraded without additional time, cost, or resources.
Additionally, these threat actors are aware that employees leave work for the weekend at a given time on a Friday, so they coordinate their attacks around then. That’s why automated processes are critical.
Ultimately an MFA process that incorporates the right biometric technology to ensure genuine presence takes away colossal amounts of that pain and stress by focusing on prevention.
Q: Thanks Matt! Any closing thoughts?
A: People must understand that it’s incredibly hard to identify generative AI attacks such as deepfakes or, more recently, face swaps – particularly to the naked eye. The fraudulent output can look entirely realistic and very different from the actual input. We can’t just rely on people to spot AI attacks.
Note: In an iProov survey, 57% of global respondents stated that they could tell the difference between a real video and a deepfake, which is up from 37% in 2019. However, IDIAP revealed that in reality only 24% of participants in their study could detect a deepfake. A high-end deepfake can be genuinely indistinguishable from reality to the human eye.
If we look at different biometric solutions, they can provide vastly different levels of assurance that a given authentication is a live human and not a spoof. So, education is needed on the different types of liveness and technologies available – the differences between single frame, multi-frame, passive, active, and so on – and why there’s such a need for a mission-critical solution.
The question of “how can we be sure of someone’s identity online?” is an extremely important and serious topic, and it’s not going away. Weak authentication and verification means weaker borders at the point of travel, compromised online accounts, weaker information security, and more. It worries me that to some people, biometrics is still seen as science fiction – because it’s real, it’s necessary, and it’s needed now more than ever.
Reminder: our latest report, “iProov Biometric Threat Intelligence”, is the first of its kind. Inside, we illuminate the key attack patterns witnessed throughout 2022. It highlights previously unknown in-production patterns of biometric attacks, so organizations can make informed decisions on which technology and what level of security to deploy. Read the full report here.