THE BLOG

Account Takeover: How A Combination Of Approaches Could Hold The Key To Protecting Our Cyber-Homes

15/08/2017 15:56 BST | Updated 15/08/2017 15:56 BST

It is said that an Englishman's home is his castle. In today's connected, online-focused world, it may be more accurate to say that an Englishman's online accounts are his castle. They can hold anything from your life's savings to personal details about yourself, a loved one, or even information that could allow a malicious actor to steal your identity. While this is widely known, what is less readily discussed is how vulnerable these accounts are, even when we think we are keeping them safe.

When setting up a new account, security measures such as password strength indicators and security questions are provided as standard and make us feel secure in the knowledge that our accounts are safe. However, in the age of ever-increasing cybercriminality such as data theft (and subsequent sale on the Dark Web), sophisticated and targeted phishing emails and malware, it seems increasingly naïve to think that a password comprised of your first pet's name and first school is going to keep your accounts safe.

The second wave of security measures address this basic incompatibility between our connected world and simple password authentication; physical biometrics. Defined unsurprisingly as a biometric based on the physical trait of an individual, from fingerprints, hand geometry, retinal scans or even DNA. Surely, one could be forgiven for thinking this kind of personalised authentication - based on things that are a physical part of you - would be enough to keep accounts safe from malicious actors? Think again. As recently as this month, a US payment vendor Avanti was stung by a piece of malware that stole thousands of fingerprint details from their corporate lunch room's system. Having physical biometrics stolen could have a severe impact on Avanti customers. Now that this information is in the hands of fraudsters, and likely for resale on the dark web, it is very easy to breach and take over more accounts, create synthetic identities, and more. So, while undoubtedly providing an extra layer of security when compared with password-based authentication, it is far from comprehensive on its own.

While the theft of someone's finger for account access has thankfully stayed in the realms of television, there are a plethora of ways that malicious actors could gain access to things that account holders may not even consider. One of the most high profile examples of this is a terrifying reminder of how technology interacts with criminality. It was reported earlier this year that the innocuous and, until recently thought harmless, 'peace sign' often used in selfies could be used to steal biometric data from people in photographs. If criminals were to zoom in on the fingerprint with an HD camera, they could recreate it and gain access to a multitude of accounts that are protected by physical biometrics (the most popular of which is mobile phones, which can be unlocked with a thumbprint. Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user's accounts and identity will persist for that person's lifetime.

So, if even this personalised form of authorisation, anchored in the physical realities of a user, can be hacked, where on earth can we go from here? The answer, many think, is a combination of the two techniques already discussed when combined with passive and behavioural biometrics.

Passive biometrics is where science fiction plots combine with reality. By understanding the way an individual interacts with their device - such as how often and where they use it, how hard they press the buttons, at what angle they hold their phone - companies leading the way in passive biometrics can gain pinpointed accurate insights into whether the person attempting to access an account is in fact you. This stretches to the point where even if you provided someone close to you - a friend, relative or spouse for example - with the relevant data to legitimately access your account, passive behavioural biometrics security solutions can tell this user wasn't you. These technologies, when combined with more traditional authentication solutions could represent a breakthrough for the security industry in keeping our accounts safe.

So, anyone who is telling you there is a simple solution to the safety of our accounts is misguided. A synthesis of the existing solutions, drawing from a wide range of disciplines is the most plausible, and most sensible solution to a problem that shows no signs of slowing down.