It seems that not a week goes by without another spate of articles about the mounting threat of account hijacking and cybercrime. Last week, The Onion revealed how the Syrian Electronic Army (SEA) gained access to their social media accounts, and just this past weekend, The New York Times reported that a new wave of cyberattacks against utility companies recently prompted a warning from the Department of Homeland Security. On the other side of the coin, Google just announced its five year roadmap for stronger account security and Paypal which, along with Google and others is a member of the Fast Identity Online Alliance (FIDO), revealed its goal to obliterate the password.
Google's roadmap calls for a much more aggressive two-factor authentication log-in scheme linked to a user's cell phone or other Android device. Although the initial challenge to log in will be more rigorous, the idea is that it's a one-time thing. Once people sign in on their device, that device can be used to authorize other services and other devices through near-field communication over a phishing-proof protocol.
This proposal represents a big step forward in account security, and if everything works out the way the authors envisage, we'd be in a much better place. As usual, there are a few key caveats, though:
- Tying account security to a smartphone is certainly convenient and hugely secure: Forget having a complicated, 10-letter password, how about storing a 1,000-letter password on your smartphone? Yet while smartphones are nearly ubiquitous in many parts of the world, there still remain millions of Internet users who don't have the latest and greatest, and those users still need an alternative way to log in. As with the "Account Recovery" vulnerability Google calls out, how can we avoid creating a new Achilles's Heel that the bad guys will exploit?
- Many of the requirements listed in the doc are interdependent. For example, you can't give your smartphone the ability to log into every web site without dealing with the fact that tens of thousands of cell phone are stolen every year and 54 percent of cell phones are not password protected. Interdependency raises costs of integration, and we're already dealing with a problem that many sites still don't think of themselves as vulnerable. If we had a nickel for every SaaS web site that asked "why would someone want to hack into us"...
- There are no silver bullets, and locking the doors sometimes isn't enough to defeat a determined attacker. Security experts talk about "targets of choice" and "targets of chance." These techniques are great at reducing the chances of an opportunistic criminal grabbing your account, but just like in the real world, if you have something valuable in your house, someone is going to try to steal it. You can replace it and change the locks. You can get more locks. You can invest in the most advanced locks on the market. The thieves will keep trying to find a way in. As long as you have something valuable inside, they have incentive to break through. And they have all the time in the world to do it.
Instead of relying on exclusively on locks-and waiting for the new locks to be installed-companies need to invest in proactive monitoring to complement the locks. Just like in the physical world, this virtual "police force" looks for suspicious patterns and attempts in the neighborhood and, by learning how the criminals behave across multiple locations, can stop them before they even reach your door.
By banding together, sharing information and using automated machine learning to profile how cyber-criminals behave online-where they go, what they do, who they talk to-we can help stop account takeovers across sites before they start. Google and FIDO's plan sets a new bar in 'locking' down accounts to protect user information. A 'police force' will only enhance their efforts, giving all sites across the web strong protection as new security protocols roll out and gain traction.