Google, Skype, and LinkedIn along with a growing number of organizations have turned in the last several years to two-factor authentication. They are doing so in the hopes that requiring a second layer of security will help curb data breaches and cyber identity theft cases.
After all, 554 million data records were lost or stolen in the first half of 2016, a 31% increase from the previous six months, according to the most recent Breach Level Index. Keep in mind, also, many breaches go unreported or are not yet discovered.
These 2016 Data Breach Statistics mean:
- 04 million records are compromised every day
- 126,936 records are compromised every hour
- 2,116 records are compromised every minute
- 35 records are compromised every second
Identity theft accounts for 64% of all known data breaches. Yet, while a second layer of security does make it harder for attackers to access accounts and systems; it’s not enough.
How does two-factor authentication work?
Two-factor authentication is not a new security measure. It requires users wanting to access a system or their personal account to first enter their user name and password. Once accepted, a second prompt is activated, requiring users to enter another set of credentials that only the user is expected to have – a unique code provided via RSA token or SMS, or a biometric like a fingerprint.
Only today’s fraudsters are savvy. They have shown time and time again how easily they can leverage the vulnerabilities of two-factor authentication. With social engineering, phishing, harvesting social media and other open sources, erecting fake cell towers and other innovative attacks, cybercriminals are gaining access to the full spectrum of personally identifiable information.
Armed with the user’s full credentials, hackers successfully pass through both of the security levels. And, without another check during the session, the fraudsters are able to takeover profiles, compromise systems and empty bank accounts or open new accounts for themselves.
2015 saw a 113% increase in incidence of new account fraud, which now accounts for 20% of all fraud losses. — Javelin
A Better Solution in Continuous Authentication
With cyber attackers getting more sophisticated, security measures must get smarter too. The key is to implement security measures that continuously monitor and test the authenticity of users in ways that are difficult to replicate.
Behavioral biometrics is a holistic solution that differentiates between human and non-human device interactions. For instance, the natural tendencies of an authentic user making their way through an application varies markedly from that of an experienced fraudster. For example, an attacker who has exploited one application multiple times will work through it with a fluency that a new user cannot match. Or, unlike consumers who manually input personal information from memory, attackers might cut and paste these details into systems.
Mapping and monitoring these behaviors, throughout the users’ time within the application, continuous authentication can indicate fraudulent behavior that occurs after the login, that is, after the two-factor authentication has been validated.
Continuous authentication based on behavior also reduces the risk of false alarms, as opposed to traditional device ID or IP address validation, and identifies threats immediately. This means stopping fraud in real-time and protecting consumers against the range of cyber threats.
Breach Level Index. (2016). http://breachlevelindex.com/
Pascual, A., Marchini, K. & Miller, S. (2016, February 2). 2016 Identity Fraud: Fraud Hits an Inflection Point. https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point