Researchers at the Dartmouth College’s Institute for Security, Technology, and Society (ISTS) are exploring the weak links, vulnerabilities and economies of scale that have led to the data breach epidemic and are urging organizations to eliminate the use of vulnerable legacy identity schemes based on username and passwords combinations as a method of authenticating employees and customers, replacing them with stronger identity technologies opaque to attackers.
The year-long research project funded in part by the New Hampshire Innovation Research Center (NHIRC) is a partnership between the ISTS at Dartmouth and Manchester-based WWPass, an information technology company that has developed new and innovative ways to manage and protect an organization’s private and confidential information.
The NHIRC Granite State Technology Innovation Grant focuses specifically on data breach prevention for the healthcare industry, but the findings are applicable across all industries.
“When it comes to organizations trying to keep their data private, attackers always seem to win, no matter if the target is a security company like RSA or an entertainment giant like Sony, a regulated health provider like Anthem, a mass retailer like Target or Home Depot, or a leader in technology R&D like Google,” said Professor Sergey Bratus, Dartmouth’s lead researcher on the project. “There’s even worse news: breaches have become merely a matter of scale; it appears that if attackers can scale up their effort they win, no matter how unsophisticated they are.”
“Organizations have long relied on usernames and passwords to authenticate employees and customers, but those methods have failed over and over again,” an announcement said, noting that, “Even using second-factor authentication methods to thwart attackers does not seem to have turned the tide. Usernames are problematic because they are guessable and allow attackers to scour the victim’s social media accounts and public records; e.g., knowing an employee’s email will likely lead an attacker to his or her Facebook account and a wealth of other private data. Not surprisingly, according the Verizon’s 2014 report, 76 percent of data breaches occur due to attackers gaining access through stolen user credentials.”
A February 15 report by Bratus and WWPass Founder and CEO Gene Shablygin outlined the importance of eliminating usernames and second-factor authentication methods in favor of non-guessable authentication methods such as token authenticators or secure mobile apps. They said cyber criminals are more sophisticated than the technologies used by most organizations, and it’s time for that to change.
The elimination of traditional username and password combinations has also received support from notable public figures, including New York’s top banking regulator, Benjamin M. Lawsky, New York’s superintendent of Financial Services, who said in February 2015 speech at Columbia Law School: “The password system should have been dead and buried many years ago. And it is time that we bury it now.”
“Further complicating data security is the issue of economies of scale,” the announcement stated. “Organizations guard against account compromise by checking the strength of their employee and customer passwords, or by requiring several modes ofauthentication on accounts they control. However, accounts are all too often compromised outside of an organization’s control when hackers gain access using accounts shared by the same person or on the same computer. Once hackers gain access to one person’s account information, they can use ‘side hops’ or lateral movements to access other information. It takes only one compromised username and password from one employee to wreak havoc on a major company."
“Scaling and meshing of everyone’s network activities and authentications has shifted the advantage to the attacker. The web of weak accounts makes it too easy for attackers to navigate from victim to victim,” Shablygin said. “We must make it harder for attackers to select and leverage the next round of targets. The only way to beat the scaling effects and end the epidemic of account breaches is to reduce this plethora of weak links by eliminating the use of usernames and passwords.”
The joint research project is expected to conclude in June. It is funded with a $33,000 grant from NHIRC and a company match from WWPass of $33,000. Additional findings and recommendations will be released as research continues.