Stolen Credentials on the Dark Web: A Wake Up Call for Organizations Using KBA

Michael Magrath, January 22, 2018

Recent news accounts of security researchers discovering a database containing 1.4 billion breached credentials — reportedly, the largest such find on the Dark Web — is yet more evidence that online identity proofing that relies only on KBA (knowledge based authentication) and static passwords is no longer fit-for-purpose.

The level of sophistication that cybercriminals bring to the dark web is unfathomable. Not only is stolen data aggregated, it has been catalogued and packaged so even novices to the Dark Web can easily search and acquire targeted data in similar fashion to a marketer renting a mailing list targeting specific demographics.

Organizations and individuals who were affected by the numerous data breaches over the past couple of years and have not taken action in terms of changing passwords, canceling debit and credit cards, or requesting a freeze on their credit, are rolling the dice.

KBA is Not Enough

Our data is out there and stored on the Dark Web in a gigantic searchable database for criminals to acquire and plunder. In fact, the newly discovered database holds more than twice the size of the combo list of 797 million credentials.

For example, if you were a victim of the Equifax, Target, or Anthem breaches, your aggregated information is comprehensive and highly sought. If you did take action, you likely obtained a new credit card – but what about health records that can’t be changed?

KBA has been under scrutiny for some time, since it’s easy for hackers to find answers to commonly asked questions, such as “Your monthly mortgage is with what bank?”

This aggregated treasure trove of stolen data also reminds us that we cannot rely on static passwords – especially considering that people commonly use the same password for multiple accounts. Verizon’s 2017 Data Breach Investigations Report states that 81% of hacking-related breaches used either stolen and/or weak passwords and, as this latest discovery has found, they are readily available on the Dark Web.

Why Multifactor Authentication Matters

The time has come for U.S. federal and state governments to engage with industry to finally deliver best-of-breed identity management and data protection strategies. The Identity Ecosystem Framework (IDEF) developed by IDESG as a deliverable in the National Strategy for Trusted Identities in Cyberspace initiative provides a sound framework that should be adopted to ensure trusted identities in cyberspace.

Apart from federal intervention and enforcement, however, cybersecurity starts with protecting identities from theft. There are secure ways, available today, to verify identities and authenticate individuals accessing sensitive data.

Technology companies have woken up to the fact that there has to be a balance between convenience, usability and security.  In fact, the industry has come a long way over the past few years offering a variety of frictionless authentication solutions that do not require users to remember complex static passwords, but instead leverage integrated technologies in smartphones and other mobile devices such as facial recognition, fingerprint and adaptive authentication.

Multi-factor authentication is an integral part of a risk-based approach to cybersecurity and, amidst the discovery of 1.4 billion stolen clear text credentials, is fully capable of producing enough force to put the final nail in the static passwords coffin.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).