Increased use of biometric security and integrated password managers will become essential as users face increasing pressure from spear phishers and other identity thieves who are increasingly running “long game” identity scams, the ANZ VP of Verizon Business has warned.
Speaking during the recent National Identity Fraud Awareness Week and just days before the likely launch of Apple’s OS X 10.9 ‘Mavericks’ operating system, ANZ area vice president John Karabin said that better password and identity management technologies were becoming the de rigeur standard in enterprises and would rapidly trickle to home consumers as awareness and usability improve.
“The use of PKI, smartcards and biometrics are all increasingly being used by our higher grade business and government type customers,” he said. “It’s an inevitable shift that we’re talking about, securing identity at both the government and consumer levels. We all grumble when we're forced to upgrade passwords, but it's enforced for a very good reason.”
The magnitude of the threat against weak access controls was highlighted in the company's Data Breach Investigations Report (DBIR), which noted over 150,000 victims of identity theft in the UK alone last year, with 75% of all fraud identity thefts having an opportunistic nature. The DBIR also found that 76% of data breaches exploited weak or stolen passwords and credentials.
"We're seeing a lot of the basic types of techniques that have been used for a long while to breach the servers or computers that people are using, and then to access that private data," Karabin said.
"People still don't set privacy security settings on their social media services; they don't use firewalls, update patches, or change passwords; and they use the same password for every single banking and online service they've got."
Apple's latest operating system, for example, will incorporate a feature called iCloud Keychain that integrates credit card and password management and encryption features into its Safari Web browser.
The situation is exacerbated by inadvertent breaches of personal information: credit-rating giant Experian, for example, was recently found to have sold bank account and credit card data – pertaining to millions of Americans – to an identity theft service that was selling the information online and was also found to have hacked into a range of bureaux storing other sensitive personal information.
This information is often packaged into identity 'kits' including extensive personal credentials, as was recently uncovered by researchers in Dell's SecureWorks security subsidiary.
Such activities reflect the increasingly sophisticated nature of identity theft, noted Rob Parker, senior security consultant with Verizon Asia Pacific. "It's a commodity in the hacker world to buy and sell malware, stolen credit cards and so on. Criminals keep inventing different ways to do this."
"But they are playing the long game more often," he continued. "They don't actually expose that your identity has been stolen, potentially, for months; they compromise a multitude of other services as they use the time to step up their theft."
Desire to strengthen the protection of such personal information was driving the obsolescence of magnetic-stripe cards, with two-factor authentication on mobile devices providing an important additional layer of identity verification for non-physical payments.
Apple, for example, recently introduced a fingerprint scanner in its popular iPhone 5s, and is expected to extend the technology to its iPad and possibly MacBook ranges in its launch tomorrow.
Samsung is also looking at the technology, with speculation about how it would acquire the technology high and Swedish authorities called in to investigate after shares in Swedish biometrics firm Fingerprint Cards jumped 50 per cent based on a press release that was subsequently proven false.
Such technologies "are appearing more common in their use," he said, "and we're starting to see that level be brought up to meet the threat".