the password problem 🔐
Over the past couple of months, it seems like an increasing amount of people are having their social media accounts hacked. Once your account is compromised, hackers often go on to try and defraud your contacts by asking them to click links, send money, etc.
Impersonation and fraud have been around for ages… 🦹
Around 300 BC, shipping merchant Hegestratos, a pioneer of financial fraud, attempted to con the insurers of a shipload of valuable goods by sinking the boat and keeping the cargo… while still claiming the loss.
In 1496, 21 year old, struggling Michelangelo supposedly forged a classical sculpture and successfully sold it as an antiquity to an Italian cardinal.
By the end of 2021, the US Secret Service estimates criminals have stolen nearly $100 Billion in coronavirus pandemic relief funds.
Fraud in the information age 🌐
We live in the Information Age - an era of human history characterised by access to, and control of information. With the exponential growth of the internet, so too have the opportunities for crime in the digital space.
According to the FBI, a total of 847,376 internet crime complaints were filed in 2021, a 7% increase from 2020 and an 81% jump from 2019.
The global cost of cyber crime reached $6 trillion in 2021 and is expected to grow 15% annually until 2025 to $10.5 trillion. For context, that would exceed global trade of all major illegal drugs combined. 😮
This should be a massive concern. Just think about how much of your life takes place online… Emails, banking applications, social media, etc. With all these platforms, the only thing standing between another person and access to your data and applications is secure authentication mechanisms.
Authentication 👁
In the context of users and computer applications, authentication refers to verifying a particular user’s identity. Essentially answering the question of “is this user who they say they are?”
Digital authentication has been around for around 60 years, starting with the use of usernames and passwords.
Most people are very familiar with this type of login form. It is still used on many online platforms and portals, because up until the latter part of the last decade…
Not much about the user authentication experience has changed 🥱
Many websites still use the username and password system that was conceptualised in 1960 at MIT to control the amount of time students and professors could spend on the university’s timeshare computer.
The problem with passwords 🤔
In a world where, by virtue of all the online platforms we use, we are expected to be juggling ~100 different login details 🤯 The simple usernames and password model of login becomes impractical.
Have you ever reused the same password on different sites? Maybe with slight variations?
Have you ever forgotten and had to reset a password and then not been allowed to reset your password because you previously used that password? 🤦🏾♂️
Same.
With many of these sites, you log in and have to store your username and password somehow. And there are various ways to implement this, AKA also many more ways to mess it up.
The best case scenario is that all sites you are signed up for are using an enterprise identity provider to securely store and manage digital identities according to up-to-date best practices. Worst case is your password is stored in plain text 😰. There are a huge number of vulnerabilities at and between these extremes… and new vulnerabilities are being discovered every day.
The remedies 🩹
Luckily there has been some innovation in the space of authentication and password management in recent years.
Password Managers: These are software applications designed to store and manage online credentials (e.g. 1password, lastpass). They can also generate passwords, which are then stored in an encrypted database behind a master password. They solve several problems:
You don’t have to memorise your hundreds of passwords - it can remember them for you.
They can generate highly secure passwords on your behalf.
Single Sign On (SSO): Unlike a password manager that stores unique passwords for every application you use. SSO allows you to use one password for every application. It can be likened to a digital passport. When you log into an application (that supports SSO). The SSO provider, e.g Google or Apple, vouches for your identity.
Multi-factor Authentication (MFA): This works by requiring additional verification before a login or action is successful. Think about One Time Passwords (OTPs) - those 4-8 digit codes that you receive via email or SMS to confirm online purchases. This means that even in the event that your password is compromised, the attacker would still need access to your phone or email to login to a particular application, which makes it much harder to break into your accounts.
The takeaway 🧷
The exponential growth in cyber crime warrants exponential investment in security measures to mitigate attack vectors.
Organisations need to place critical emphasis on security when developing applications and handling customer data, using the best-in-class tooling/services for the various layers of security rather than building out custom functionality themselves.
From a consumer point of view, users need to actively inform themselves on and implement the current best practices such as SSO and MFA to improve their individual security posture.
claude
talking about passwords, sash was interested to hear that apple followed google in announcing a “passwordless future” at its developers conference
Very interesting from a legal perspective - authorities dealing with merger control are placing increasing emphasis on public interest initiatives, meaning that many companies will up their investments in educational institutions, either proactively or as a part of conditional merger approval (for example). The emerging institutions in this regard frequently offer courses in cyber security due to the field easily ‘ticking the boxes’ that the authorities are looking for in meeting our policy goals (because it is, as you have mentioned, so important!)
Hopefully similar policy will spread across Africa where the gap in digital financial inclusion has only increased since the pandemic.
Fraudsters are always on the ball in terms of keeping up with new preventative measures to safeguard information, especially in the cyber crime space. From a fraud risk management space it’s been recognized that the customers themselves are the biggest weakness in protecting their own data, regardless of subscribing to authentication methods such as MFA. This is mainly due to the plight of social engineering, which often leads to people voluntarily giving their authentication codes due to some form of manipulation. So from a customer perspective I think not only familiarizing oneself with different levels of security measures, but also being vigilant in concern for legitimacy when using said tools.