Freely subscribe to our NEWSLETTER

Commentary from Kevin Lee, VP of Trust and Safety, Sift

“Account takeovers (ATOs) are plaguing digital businesses and consumers, with attacks surging 307% between 2019 and 2021. Cybercriminals have been able to take ATOs to new and sustained heights due to poor password hygiene. And it’s happening at scale, with fraudsters using automation to steal stored account value, payment information and other personal data from thousands of accounts at one time.

Sift’s research team, for example, discovered a sophisticated fraud ring, dubbed Proxy Phantom, that was using bots to overwhelm merchants. Using a massive cluster of rotating IP addresses paired with credential stuffing attacks, the group used 1.5 million stolen credentials to flood businesses with bot-based login attempts to conduct as many as 2,691 attempts per second.

This new level of sophistication coming from fraudsters has driven fraud teams to actively seek out password-less alternatives to more securely and seamlessly authenticate users. Legacy account security approaches, like passwords, and knowledge-based authentication, are no longer enough to effectively verify users and consistently defend against fraudulent logins. Customers should be free to permanently ‘forget’ their passwords. If a business can’t grant that freedom, customers may take their business elsewhere.

As we look into the future of account-based security on World Password Day, companies need an intelligent approach that verifies users, secures accounts and stops ATOs. Through password-less authentication solutions, trust and safety teams can have forward-looking security protocols that address businesses’ account security needs and stop ATOs in their tracks.”

Commentary from Matt Aldridge, Principal Solutions Consultant at OpenText Security Solutions

“We’ve relied on passwords for many years to securely access the apps and services we use daily: both at home and at work. Today, as many of these services move to the cloud and breaches become more frequent, password security is even more critical for businesses. Awareness must go beyond how randomised your password is or if it includes a capital/special character: there are certain risks that everyone should know about.
There’s no way to stay 100% safe online but it’s important that the ineffectiveness of 8-character passwords, which can be cracked easily using common tools used by cybercriminals, is brought to light on World Password Day. A user could have the most random, jumbled 8-character password, yet these passwords are not much more secure than 8-character passwords consisting of easy to remember phrases.

Instead, we highly recommend organisations encourage employees to create longer passwords that include phrases and incorporate spaces plus a letter, number and/or special character. Humans can remember long phrases, and each added character will generate an exponential increase in security. Using such passwords for access to your computer and to unlock a password manager application, which can then generate very long, secure, unique passwords to simply copy and paste into other applications, or even automatically fill them in via browser integrations.
Business IT admins can also use APIs whereby they can check a proposed new password against a database of previously leaked passwords, to make sure that whoever is creating the password isn’t using something that has been previously exposed, and that it is unique. These APIs can also be plugged into browsers such as Edge and Chrome to notify the user if their password is used or leaked in the future.

Moving beyond passwords is also becoming possible for many applications, where confirmation via mobile applications using biometric authentication can avoid the need to enter a password at all when completing authentication – this completely removes the threat of forgetting or losing a password, whilst preventing a password from being intercepted by an attacker, but it is crucial that such solutions are carefully implemented, controlled and supported.”