The Small Business Administration blamed an internal error for its recent leak of at least 8,000 Economic Injury Disaster Loan applications. Whether or not a “glitch” is to blame (many officials doubt that it is), this latest headline-making blunder reminds government agencies to review how they’re preventing sensitive data from ending up in the wrong hands.
Such news stories attract hackers to government agencies like moths to a flame; it tips them off to which agencies are likely still using antiquated techniques to protect their treasure trove of Social Security numbers, employee credentials, tax IDs and more. Hackers also know that agencies have been forced to quickly shift to remote work during this global pandemic and are scrambling to maintain security in a new, complex environment.
There’s a simple security measure that could take phishing attacks out of the equation and remove one of hackers most useful tools: getting rid of passwords.
Given the number of breaches due to password theft, it’s a wonder agencies are still using passwords despite their high risk exposure. According to research from Verizon, over 80% of all data breaches involve stolen passwords, making it time to stop pretending passwords are still an effective security measure.
Employee risk factors
Nearly 90% of successful data exfiltrations and breaches in the federal government over the past few years were the result of phishing attacks, according to the director of the National Counterintelligence and Security Center. This is an even bigger threat as government employees working remotely are downloading new tools daily and accessing various networks. In a work from home (WFH) environment, security and IT teams have very little control or oversight. While it’s tempting to believe everyone is following exemplary security practices, the reality is that government employees are reusing passwords just like everyone else.
This means that passwords used for sensitive government activities may also be used on consumer sites at risk of being hacked. Recent breaches at HomeChef and EasyJet put consumer login information at risk, but it’s the breaches that haven’t been publicized that place users at greater risk. With the average person reusing their favorite password at least 14 times, it’s easy to do the math and see the size of this risk.
Passwords are a liability
Of course, it’s users’ responsibility to keep the password to themselves. For a password to work, however, organizations must know the password to verify it. This is typically done in a secure database known as a credential vault. Just as criminals rob banks because that is where the money is, hackers break into credential vaults because that’s where all the passwords are. This makes the use of passwords a liability to the organizations that use them to secure critical data.
Hackers seek out passwords
Hackers can often take advantage of poor security settings and compromise the credential vault that stores all of a network’s usernames and passwords. More often than not, however, all hackers really have to do is send users an email tricking them to give up their password. In 2018, the Defense Information Systems Agency reported that the Defense Department had fended off 36 million malicious emails from hackers containing phishing schemes, malware and viruses. With one simple click of a link in an email, users are whisked away to a site that looks just like a page they are familiar with, and in seconds they can share critical login credentials.
If this seems too easy, there are a host of other far more sophisticated schemes in hacker’s tool chest, including keystroke loggers, spyware or mobile malware. If passwords were supposed to be a secret, then this is a good reason why they are not working.
There are other options
Is there something better than passwords for government agencies? Absolutely. Before considering the alternatives, keep two things in mind – simplicity and security. Passwords have been around for decades, but when they were first introduced, they were a simple way to secure applications, data and machines. Today, the average user logs into 20-30 sites and often uses the same password to keep things simple, which ends up weakening security. Therefore, password alternatives must be very simple or users won’t adopt them. Taking advantage of phones and smart apps where users don’t have to do much more than tap and/or scan, let alone remember anything, is the right way to go.
User passwords must be replaced with multiple authentication methods that feature a combination of “something you know,” such as a username or social identity, “something you have,” such as a secure token on the phone, and “something you are,” such as the biometric from that same phone. Leveraging all three methods makes the authentication process highly resistant to impersonation and increases security exponentially.