UK and U.S. warn APTs target healthcare and essential services just in time for World Password Day
A joint advisory has been issued by authorities in the U.S. and UK about advanced persistent threat (APT) groups carrying out cyberattacks on healthcare and essential services organizations, including password spraying.
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued the warning, which describes the targeting of pharmaceutical and research organizations, and the method of large-scale attacks observed. Password spraying is a brute force attack which consists of an attacker attempting a single commonly used password (think “qwerty” or “1234546”) against numerous accounts, before moving on to another password. It has the advantage of avoiding frequent account lockouts, which makes it more difficult to detect.
The NCSC and CISA previously reported in April that cybercriminals and APT groups were attempting to exploit the COVID-19 pandemic. That report mostly focused on phishing and other attacks against individuals and businesses.
The agencies recommend using multi-factor authentication (MFA), among several measures outlined at the end of the new six-page report to mitigate password vulnerabilities.
New research on the practices and vulnerabilities associated with passwords, and how biometrics are being used to replace them, has been published by several companies in anticipation of World Password Day, which falls on May 7 2020.
Many consumers know generally what the right password and account security practices are, but relatively few actually follow them according to the new Lastpass Psychology of Passwords 2020 report. Two-thirds of people reuse passwords, the report shows, despite 91 percent claiming they know this kind of behavior creates risk. More than half of respondents have not changed passwords in the last 12 months even after hearing about a data breach in the news. Fear of forgetting is the main reason people decline to change passwords, even though the report also indicates many people are simply comfortable with regular password resets.
More than three-quarters of people surveyed from six countries on five continents said they feel informed about password best practices, but more than a quarter write them down.
Rising awareness and use of MFA are identified as bright spots in the report, and 65 percent of those surveyed trust fingerprint or facial recognition more than text passwords.
Not only do people frequently reuse passwords, they also share them, and even biometric credentials like fingerprints or facial recognition for smartphone access are frequently shared, the SecureAuth 2020 State of Identity Report suggests. A mere 46 percent of the survey’s U.S. respondents say they have never shared biometric access, and only two-thirds say they have never shared their work email password.
The report also shows that although 51 percent of consumers are using biometrics, less than one in three say they are comfortable sharing biometric data with companies they buy from or the government.
This despite Americans abandoning a purchase because of a forgotten password 16 times a year, or once every three weeks on average, according to research from iProov. For people in the UK, the average time between abandoned transactions is slightly higher, at 24 days.
“Everyone knows that passwords are not secure. But the solution that is being applied to weak password security is to make passwords more complicated. Perhaps that’s why half of Americans have abandoned online purchases in the past year and businesses have lost millions of dollars–we just can’t remember our passwords,” explains iProov CEO and Founder Andrew Bud. “Imagine a world in which you never forget passwords because there aren’t any. You simply authenticate yourself with biometrics–it remembers you even when you haven’t visited a site for months, providing exceptional usability and outstanding security to remove the frustration with passwords and make everyone’s lives better.”
Businesses already have the tools available to them to make this vision a reality, at least according to some in the industry.
“For many digital-ready businesses who already have mobile apps, it’s relatively straightforward to include a software development kit that facilitates biometrics,” writes GBG General Manager of Identity Fraud Propositions for Europe, Gus Tomlinson, in an emailed statement. “Often, when interacting and establishing trust with an identity online, having independent and reliable data to check against for certain demographics is a challenging, yet crucial, part of the puzzle. Biometrics, especially facial (when compared to a valid photo ID) enables businesses to verify a large range of the population, even in today’s uncertain climate.”
In the same vein, Acceptto Principal Security Architect Fausto Oliveira says passwordless is not a future approach, but what is needed to prevent security incidents, 80 percent of which involve credential hacking.
“In general, any binary authentication, such as passwords, two-factor authentication (2FA) and some multi-factor authentication (MFA), including biometrics, are susceptible to fraud due to their binary nature,” Oliveira writes in an emailed statement. “The industry needs to move away from passwords and start adopting passwordless solutions that do not threat authentication as a single event with a simple yes or no at point of entry, but as a continuum where user good behavior is constantly verified. It’s time to finally make World Password Day a thing of the past.”