OK 2015, IT'S A WRAP!

5 Simple Ways to Protect Your eCom from Online Fraud

Once upon a RAT: the story of Social RitB (RAT-in-the-Browser)

A Sneak Peek to BioCatch Upcoming Activities

BioCatch says 'Adiós to Dyre malware'

Our path to behavioral biometrics innovation

Friction-reduction US Patent granted to Citibank – Device Binding to replace login

Payment Security: the New #1 Priority

YOU are the weakest link

Is This Really the End of User Name and Password

A Tale of Two Yous: Misuse of Multiple User Access

Welcome to BioCatch New Blog

Is This Really the End of User Name and Password

Posted by Karine Regev
Feb 10, 2015
2 min read

TIME journalist Massimo Calabresi wrote a very interesting article yesterday about the recent Anthem breach and the effect that it and other major hacks might have on current security protocols.

It seems that in the Anthem case, hackers were able to obtain the user name and password of a senior employee to enter the system and steal the personal data of some 80 million people. Although Anthem had invested significant resources in cyber defense, the authentication methods it employed were lacking, ultimately allowing the breach.

This most certainly isn’t a unique incident. We keep seeing a similar scenario repeat itself - huge corporations, spending significant resources to combat cyber threats are being breached over and over. Why?

The answer, at least in part, is that current security measures just aren’t providing adequate protection for susceptible sectors, specifically banking and insurance. Although the TIME article states that most experts agree that username and password security alone are not enough to combat hackers, we’d go one step further and say that even multi-factor authentication, which includes a number of ways companies use to authenticate a user’s identity such as SMS codes, security questions, fingerprints or other traditional biometric authentication, are also not ideal solutions. All these methods looks at what the user has or know instead of WHO the user is.

What we need is a paradigm shift. The focus should no longer be on information that users’ possess or traditional biometric markers that can be stolen (as was the case in the recent incident in which a German government minister’s fingerprint was taken from an online photo), but rather on their behavior which cannot be stolen or duplicated. Behavioral biometrics requires no user involvement and runs “behind the scenes” comparing a user’s active behavioral parameters with those exhibited in previous sessions. It records the general behavioral patterns of an online user while they interact with a website or mobile application, and can take into account a number of metrics such as the speed with which somebody types and clicks, how the device is held, how the cursor is moved, etc.

While New York State regulators are now contemplating imposing new cyber security regulations on specific industries, ultimately paving the way for other states to follow suit, it would be wise to consider stronger authentication measures which can serve to protect employees and consumers, and reduce the massive breaches that unfortunately seem to be a common occurrence these days.