Stolen Employee Access Password

By Henry Bagdasarian

According to a few research studies, stolen employee access credentials is by far the leading cause of system hacking cases and data breach incidents which will cost businesses about $2 trillion by 2019. In fact, employee error is responsible for 90% of cyber attacks according to leading industry and government reports. The most common type of employee error is falling prey to a low cost method used to steal sensitive information called phishing or spear phishing when such attacks are a bit more sophisticated and targeted. This method is often a fake email asking potential victims to click a URL and fill out a form on a fake website or click on attachments and links which download malware onto the users’ computing devices leading to unauthorized access, private data theft, stolen intellectual property, and interruption of operations. When successful, this sophisticated attack makes employees (or any other computer user) to unwittingly give away privileged system access credentials and other sensitive information to hackers which facilitate system hacks.

Consider the following survey results regarding password:

  •  Some employees are prepared to sell their password for as little as $150,
  •  More than 20% of employees routinely share passwords with each other,
  • Majority of users use bad passwords such as “123456” or “password”,
  • 56% re-use their passwords across personal and corporate accounts.

The Bad Bews

The bad news is that organizations still allow employees to use passwords for accessing systems, and rely on employees to protect the sensitive passwords. Chief Information Security Officers must constantly worry about training users and launching phishing campaigns to test the knowledge of their employees in identifying, neutralizing, and reporting phishing attacks. It is not the best security option to leave security matters in the hands of unqualified persons. 

The Good News

The good news is that organizations and their CISOs have the option to leave users out of the information security business by forcing the policies through system configuration and not let users make any security decisions such as blank or 1 character passwords with weak system security configurations. With advances and cost reduction in identity and access management technology, organizations have now the option to deploy other technologies such as biometric authentication and use the person’s characteristics to identify and authenticate the person.

Password Alternatives

Two Factor Authentication

Two-factor authentication of 2FA requires users to enter a unique code sent to a second email address of mobile number to be used along with the password for access. However, even when multi-factor authentication is used in some cases such as privileged account access, when password is one of the authentication components, the security of the system is reduced.

Personal USB key

Users simply plug in the USB key into the PC and the profile is loaded to grant access. A browser such as Chrome can be configured to work with USB keys and store all online logins within the master key which means no more memorizing and using passwords in ways that would jeopardize security.  

Virtual Token

Similar to the USB concept presented above, this password alternative requires employees to carry a piece of pre-recorded information with them which can be incorporated into the smartphone and mobile apps that display a temporarily-generated, unique image on the phone screen that users can hold up to the webcam to authenticate. The image can’t be stolen as each one is randomly generated and lasts for a limited time.

Biometric Options

As mentioned above, biometric authentication uses a person’s characteristics to identify and authenticate the person. Biometric technology is advancing rapidly and the market for biometric systems is estimated to increase from $10.74 billion in 2015 to be worth $32.73 Billion by 2022 .

The list of biometric authentication options includes:

  • Face recognition,
  • Finger print and geometry although it is easier to copy or steal a finger than other human parts,
  • Hand geometry,
  • Ear geometry by simply pressing it against the phone screen during a phone call. No two ears are alike even on the same person,
  • Eye iris or retina recognition,
  • Gait or behavioral biometric,
  • Heart rhythm can be used in wristbands and other devices for wireless identification to the computer, cars, house, and in stores for making payments with NFC interface,
  • Butt biometrics can be used to authenticate a user by the way they sit. This technology can be used in cars to start the car and adjust car preferences automatically,
  • Nose can be used to identify a person as it is a distinct human feature although it is often surgically modified and rendered useless for authentication,
  • Vein matching also uses a finger or a palm, but provides a few additional security benefits through vein analysis of only alive persons which makes it difficult to fake,
  • Sniff test although in early stages with 10% failure rate can filter out smells like hand cream or changes in odor caused by diet and disease with an artificial nose to identify a person.

Get certified in identity and access management.

Identity Management Certifications

Identity Theft Courses