Make the Internet More Secure: The #NoPasswords Revolution

By Ori Eisen

September 27, 2016

I don’t want you to read this piece. I want you to read and act upon it. In short, I am here to recruit you.

If you’re satisfied with the way the internet is now and feel that your information is secure online, stop reading here – because I’m speaking to all of us who think there is a major problem.

Doing nothing is simply no longer an option.

I have dedicated my life to fighting online crime. Years ago, while serving as the worldwide director of fraud at a top bank, I began to focus not just on the ways money was being stolen online, but on the thieves themselves. I began to look deeper into the inner workings of crime: “Where does the stolen money go? What is it being used for? By whom?”

Unfortunately, I got the answers I was looking for. As I found how far money stolen over the Internet goes to fund even worse crimes (narcotics, weapons, terrorism, human trafficking, child exploitation, the lowest of the low for humanity), I realized I could not sit by and do nothing.

Now, I’m asking the rest of the world to join me in taking action. We must protect online businesses so these funds are not handed over to the criminals for their nefarious activities.

Current cybersecurity solutions are just not cutting it. But there’s one simple way we can all make a difference in stopping this cycle of crime: getting rid of passwords, once and for all.

Passwords were invented in the early 1960s and have not had a single innovation since. It’s time to move on.

The Problem

The Internet was not designed with security in mind. At their conception, username and passwords were very useful in granting access to a network for academic research – essentially, they just helped keep honest people honest. When the internet became a factor in this access, however, things changed.

Now, the same primitive technology is used to protect multi-million dollar wire transfers. We’re in a whole different ballgame, and this time there’s a fierce opponent. What if we treated physical security the way we do online protection? If someone could access, for the small price of $1, a master key to your front door –  would you worry? And more importantly, would you do something about it?

We now conduct almost every aspect of our lives online, yet our security measures have not changed.

According to Privacyrights.org, more than 900 million user records have been breached since 2005. In contrast, there are just more than 300 million active Internet users in the US alone. You do the math – chances are the $1 key to open your online accounts is already available to whoever is buying.

But this isn’t intended to alarm anyone; in fact, it shouldn’t even be new information. Just by reading the news, you already have seen the headlines:

8/15/2016 “Twenty U.S. Hotels Git by Massive Data Breach”

8/14/2016 “Financial Malware Attacks Increase”

8/13/2016 “IRS Warns Citizens of New Phishing Scheme”

8/12/2016 “Russian cyber-Attack That Targeted Democrats Much Larger Than First Reported”

8/11/2016 “Researchers Expose Iranian Cyber-Attacks Against Hundreds of Activists”

8/10/2016 “Volkswagens Susceptible to Hack”

Talk about “breach of the day.” And the fact that this is now part of our daily news cycle points to the fact that our current security measures – passwords –  are no longer effective.

The Business Implications of Passwords

When a company is anticipating a breach (as all should be in this day and age), the financial expectation is on soft costs like customer trust, brand reputation and customer loyalty, in addition to more obvious hard costs such as breach investigation, credit monitoring, customer attrition, legal fines and fees, etc.

But when breaches are enacted via password insecurity, unexpected additional costs are added to the bill:

1) Call center calls about forgotten passwords

2) Services to reset them (KBA, SMS 2FA, Phone Call 2FA)

3) Losses attributed to weak passwords

4) Losses attributed to fraudulent password resets

5) Losses attributed to malware or breaches stealing passwords

Many companies started using MFA solutions, only to realize the bitter truth –  that programs like SMS one-time passwords are easy for hackers to circumvent. Crooks can easily take over your phone line just by convincing the telephone company they are you, no technical skills needed.

Case in point is that of Black Lives Matter activist DeRay Mckesson: On June 10, 2016, the following news broke that his Twitter account had been hacked. Mckesson describes what many of us knew all along…

“At 10:31 am, someone called @verizon impersonating me and successfully changed my SIM & unsuccessfully attempted to change my phone number,” McKesson tweeted. “By calling @verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor verification which I have on all accounts.”

Not all MFA solutions are created equal. To the perpetrators of this attack, SMS was nothing more than a turnstile in the middle of the desert...they simply went around it.

“The only thing necessary for the triumph of evil, is for good men and women to do nothing” – Edmund Burke

The Solution

This leads us to how we can take action: Take static passwords out of the security paradigm altogether.

This means we need a dynamic way to authenticate online identities. Each time an account is accessed, you still need to affirm that it is you on the other end –  in a dynamic solution, that affirmation is wrapped in a unique value, so it cannot be used again by any perpetrator.

Using a dynamic solution solves the real problem and kills two birds with one stone:

1) More security

By ridding the world of passwords, we get rid of hackers’ easiest target. Malware that steals passwords will lose its power value completely, diminishing not only the vast amounts of money crooks currently take through fraud but also the market they have created to spur more crime.

By affirming it is really them on the other end, users are empowered to play a part in their own security. The extinction of passwords will bring about a wake up call for consumers, as the world learns more about the risks they take every day just by signing into any online program. They know each time their account is accessed, and can affirm or reject the transaction.

2) More convenience

With all this said, there’s still the element of friction in security – even when faced with hackers, consumers are more likely to take the easy route than the safe one. Data points to this trend too, as a survey we just conducted showed that nearly a third of users said they aren’t likely to change their password even immediately after they know it is breached.

A dynamic authentication method free of passwords, however, is both the secure route and the easy one. Users no longer need to remember passwords, think about length or complexity, or even bother to change them regularly. Password resets will be a thing of the past.

The cost of doing nothing has shown its ugly face in our headlines, in our bank accounts and in the frustration of consumer helplessness to protect themselves. We must fight fire with fire, using technology to raise the bar on online criminals.

Heed the call and join the #NoPasswords Revolution. Proactively ask the programs you subscribe to and the companies you work for to look to dynamic authentication methods. Use social media as your weapon in waking up the internet to the sad reality of decades-old password technology.

We can reclaim the Internet.

“All the forces in the world are not so powerful as an idea whose time has come” –  Victor Hugo

 

Karen Dayan