Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Top three ways hackers get around authentication

By John Hertrich
How Continous Is Continous Monitoring?
June 30, 2020

The cracks in the online security dam keep appearing, and we have only so many fingers left to plug them.

Despite living in the most technologically-advanced era in human history, large-scale data breaches continue to grow in intensity and frequency. According to a study by cloud solutions provider iomart, the number of compromised records rose 273 percent in the first quarter of 2020, compared with the same period in 2019. Nearly 40 percent of those breaches occurred in the U.S.

More troubling is the average time it takes to identify and respond to breaches. Data shows that it took on average 187 days to identify a breach and another 59 days to contain it according to the same iomart study. Within that window large companies suffering an incursion are typically losing between 10 and 99 million records.

 

Criminals seek credentials

The motive for most breaches continues to be the thirst for credential information. Credential theft and errors caused 67 percent of 3,950 confirmed data breaches between 2018 and 2019, according to the Verizon 2020 Data Breach Investigations Report. Verizon states that 80 percent of all hacking-related data breaches involve stolen passwords.

Criminal hackers use a variety of techniques to get around current verification protocols involving passwords. Broadly speaking, they fall into three categories:

  1. Hacking the credential vault. An organization’s internal credential vault is a prime objective for intruders, as it contains all the passwords used for comparison during user logins. If the security configuration has been set up poorly or retains some level of flaws, the vault will be vulnerable. Even if the vault is fairly well locked down using best practices, it will always have a bullseye on its back as a “high-value” target.
  2. Tricking users to give up passwords. If they can’t crack the vault itself, hackers will attack the gates leading up to it. These distributed attacks are relatively more successful anyway. Instead of working hard to pick one important lock, criminals devise schemes that make the hard task of cracking millions of small locks much easier. Phishing, spoofing, and bogus phone calls are all commonly used strategies to trick users into revealing their credentials. If a criminal is successful in convincing a recipient to click on an email or text, they may also inadvertently download malware such as keystroke loggers or screen scrapers. These applications will transmit passwords, and much more, without detection.
  3. Network sniffing. Sniffing attacks occur when bad actors tap into public WiFi networks. Using commonly available software, crooks can grab all kinds of information including credentials, credit card numbers and other private information. Cybercriminals are also known to create rogue access points posing as legitimate WiFi networks, enabling them to see and collect all data unsuspecting users transmit.

Unlike distributed “trickery” techniques that target millions of individuals at a time, it’s the responsibility of organizations and businesses to prevent network and vault attacks. When these kinds of breaches occur, the financial and legal damage can be catastrophic. Moreover, it’s an immense public image problem when organizations are compelled to ask customers to change passwords, sometimes by the millions, as the result of a direct attack.

 

Two factors not enough

No security solution is perfect or absolute, but organizations can take a major step forward simply by replacing the weakest link in the security chain: passwords. Spoofing, phishing, keylogging, sniffing and other forms of digital theft all target passwords. They won’t work if there is nothing to steal. Similarly, on the corporate side, doing away with passwords eliminates the need for credential vaults altogether.

Many experts believe that two-factor solutions involving SMS codes or image verification solve the password problem. But requiring two forms of verification doesn’t remove the burden on the end user. It amplifies it. In effect, users are being told, “Here’s a one-time token, but don’t get tricked into giving up your password. If you do, it’s your own fault.” The site operator is doing nothing to remove the intrusion motive.

Modern three-factor strategies, however, significantly change the paradigm. They begin with a token that 3.3 billion of us carry with us every day—our smartphones. By taking full advantage of the latest smartphone technologies, verification reaches the security gold standard of “something you have, something you know, something you are.”

Through the use of smartphone biometric scanning (fingerprint, facial recognition or, increasingly, retinal scans), users can satisfy the “something you have” and “something you are” requirements. The final component, “something you know,” is satisfied using a free mobile app.

Security apps make the verification process very simple. When the user wishes to log-in to a website, the website server sends encrypted metadata to the users smartphone where a multi-digit service authentication code is then generated. The code is presented to the user in the form of a combined set of digits and an image. The same set of digits and image are displayed on the website being logged into and the user simply compares the code visually with the one presented on the website. If they match, the user presses “accept” and the secure verification is complete.

An essential part of a secure authentication process is a bi-directional authentication connection. Traditionally, only the user is authenticated during verification; this does nothing to assure the user that the service provider is authentic and legitimate. Two-way, NIST-compliant security protocols, by contrast, ensures the authenticity of both the user and service provider before secured data is exchanged.

It’s important to note that in the security business, simplicity is as important as technology. The human factor can’t be ignored. If a solution is inconvenient, users won’t use it—or worse, they’ll find an easy way to compromise the solution altogether. The Last Pass 2019 Global Password Security Report states that the average individual reuses a password 13 times—not exactly the best way to secure multiple sites.

An easy to use three-factor system, delivered via a connection secured through two-way encrypted authentication, is the best possible way to eliminate credential theft. It removes the weakest link, conforms to the latest standards, and removes a major source of frustration for users and organizations alike. It’s time organizations move forward with a better, safer alternative to passwords. With the newest solutions they can end password breaches, once and for all.

KEYWORDS: cyber security hackers information security passwords risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

John Hertrich is president and CEO of Identité, a security systems company, and Professional Software Associates, a professional engineering services organization. Over his career, Hertrich has successfully founded and/or led multiple technology companies including Zinc Software Services, later acquired by Wind River Systems.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • computer open to login screen

    Three out of top four attack vectors are connected to authentication

    See More
  • cyber laptop2

    3 Ways to Get Endpoint Security Back Under Control in the New Remote World of Work

    See More
  • Gaps in Cybersecurity Programs

    NSA warns hackers are forging cloud authentication information

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing