A tale told on Twitter in early September made for an alarming read - and was a timely reminder of just how much is at stake when digital security is breached.
Charlotte Morgan’s story begins: “After a distressing and frustrating week, I need to talk openly about something that happened to me (which could happen to you, too). It's broken me - both financially and mentally - but I'll attempt to explain calmly and rationally. Strap yourself in.”
She goes on to explain that having arrived at the gym, she found the entrance gates - normally activated by members scanning their passes - were not working. Charlotte stored her belongings in her locker and took her usual workout class. When she returned, she found her locker had been broken into and her rucksack containing her phone, bank card and keys, stolen. Then came the realisation, as she borrowed a phone and started to call the relevant organisations, that the person who had broken into her locker had already succeeded in resetting her email, online banking, mobile and Apple Pay security details. Not just that, but they had been on a shopping spree, bought themselves three new brand-new iPhones, and emptied her savings accounts.
It’s worth reading the full thread on Twitter to get the complete picture of what happened next, and the layers of frustration and distress that accompanied the victims' attempts (it was not an isolated event: there have been multiple reports of thefts following the same pattern at gyms across London) to rectify the damage, regain control of their accounts and work out how the thieves had been able to circumvent established security measures.
It's important to stress, of course, that we can only speculate on the modus operandi of the criminal(s) at this point. One thing that seems clear from the Twitter thread, however, is that the victim in this case had taken all reasonable measures to protect herself. Her access management followed general advice; none of her passwords were the same or obvious, she had not written her PINs or passwords down anywhere, and she had two-factor authentication set up. None of those measures were enough.
A growing threat
Existing authentication methods are failing to halt fraudulent attacks.
In the first half of this year, criminals stole a total of £753.9 million through fraud. That figure represents a rise of over a quarter (30%) when compared with H1 2020. And it's a trend that is borne out by plenty of other research: The latest Cifas data shows that levels of fraud increased by over 11% in the first half of 2022. The total value of alleged fraud reaching UK Crown Courts in H1 2022 increased by 288% on the same period in H1. And more than 200,000 cases of fraudulent conduct were filed to the National Fraud Database in the first six months of 2022 – a rise of 11% when compared to the previous year.
"The level of fraud in the UK is such that it is now a national security threat. The banking sector cannot solve this on its own - there must be a coordinated approach adopted across every sector if this is to be tackled effectively."
- UK Finance, 2021 Half Year Fraud Update
Passwords and 2FA: Part of the problem?
No one likes passwords. The burden of constantly coming up with multiple complex passwords, and the even bigger challenge of needing to remember them, is undoubtedly the reason that, according to the Gartner Group, 20-50% of all IT help desk tickets annually are for password resets.
What’s more, passwords can be shared, guessed or stolen, which means they are not secure. The Verizon Data Breach Investigations Report, 2022 found that over 80% of hacking breaches involve the use of stolen passwords or stolen credentials.
By seizing control of devices linked to accounts, fraudsters have also found ways of bypassing two-factor authentication (2FA). Earlier this year, a report by Auth0 found that attacks by cybercrime groups targeting multi-factor authentication (MFA) techniques had risen to the highest levels ever recorded, with its network logging roughly 113 million MFA attacks. This rise reflects the fact that MFA has become the secondary security method preferred by many major app and service providers. However, far from being a bar to criminals, they can be a gift. When 2FA codes are delivered to a device via SMS or email, they can be immediately intercepted. Once a criminal has that code, they have the keys to the kingdom.
So, what's the solution? Introducing MiPass...
Stories such as Charlotte Morgan's are a reminder of the damage just one weak link in the chain can cause.
MiPass is Mitek’s solution to the serious security risks associated with using passwords to secure accounts in a digital-first economy. MiPass, a passwordless authentication solution, leverages multi-modal biometric authentication (face and voice) to allow customers to effortlessly and securely access digital accounts, while simultaneously helping organisations maintain strong KYC compliance standards.
With passwordless login, MiPass blocks the entry points that passwords and OTPs leave open for account takeover attacks such as SIM card swaps, social engineering, or stolen devices.
There are many benefits of passwordless authentication. Biometric security features are not only an inherently stronger, more secure way to verify users, but they also provide a better user experience. Using biometrics allows users to be quickly authenticated without the need for cumbersome password requirements or one-time passcodes that leave customers vulnerable to identity theft. To access a digital account using MiPass, a person simply uses a smartphone to take a quick selfie and record a phrase.
Creating passwordless multi factor authentication by combining both voice and face is a significant security improvement beyond the face recognition-only systems many use today and helps to create a frictionless user experience.
“MiPass provides the highest level of digital security available today,” said Mitek CTO Steve Ritter. “MiPass combines voice and face recognition using sophisticated liveness detection technology to defend against digital and deepfake attacks in real time.”