enterprisesecuritymag

Geico Breach Exposes Customer Data

Rajiv Pimplaskar, Veridium

As TechCrunch and other outlets have recently reported, insurance giant Geico was breached, allowing fraudsters to steal customers’ driver’s license numbers for months.

In a data breach notice to customers filed with the California attorney general’s office, Geico revealed that said information gathered from outside sources was used between January 21 and March 1, 2021 to “obtain unauthorized access to your driver’s license number through the online sales system on our website.”

Geico has since fixed the security bug that let attackers steal customers' data from its website and did not disclose how many customers were affected by the breach, but under California law, companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.

The theft of customer data from Geico is the latest reminder of the security bugs, vulnerabilities and susceptibility to credential theft and privilege escalation that are all too typical with major websites.

Traditional security approaches aren’t stemming the flow of consumer data onto the dark web. Major brands continue to be at least as worried about customer experience and preventing abandoned transactions as they are with security. They note that many consumers balk at two-factor authentication (2FA), which is also vulnerable to “man-in-the-middle” (MITM) attacks.

Identity is the new perimeter: According to Verizon’s Data Breach Investigations Report, over 80% of data breaches occur due to lost or stolen credentials. A recent ZDNet article indicates that almost half of ransomware attacks begin with cyber criminals compromising remote desktop protocol services, either by using stolen credentials, guessing default or common passwords or by exploiting unpatched vulnerabilities. Not surprisingly on the backdrop of COVID-19, KPMG’s 2021 CEO Outlook Pulse Survey indicates that global business leaders identified cyber security as the top concern affecting their growth and operations over a three-year period and was named ahead of regulatory, tax and supply chain concerns.  

Consumer businesses are struggling to retain and attract new customers across mobile and online channels while simultaneously balancing the need for higher security and regulatory compliance.  Typical 2FA relies on a username and password combination as the first factor followed by a Time-based One Time Password which could be a 6-digit PIN that is typically sent over SMS. This method is inherently not secure as it’s vulnerable to MITM attacks. The National Institute of Standards and Technology (NIST) has indicated that while 2FA with SMS is more secure than just a password by itself, it’s still not good enough.

COVID-19 has also resulted in the abrupt shift to remote work and companies need to be vigilant about securing their own employees. The corporate workforce is increasingly heterogeneous, spanning both employees and contractors across various partners, vendor and global supply chain relationships.  Several of these partnership interactions are transactional, have high flux and require different levels of access based on their unique roles. The governance, risk and compliance(GRC) profile of a remote contractor is quite different when the individual is now operating from an unsecured and uncontrolled environment. 

Eliminating “first factor” passwords is the new paradigm

The core issue in both scenarios is that passwords constitute the weakest link and adding more factors doesn’t eliminate this vulnerability. Thus, the best solution is to eliminate our fundamental dependence on passwords as the first factor.

Companies can and should embrace passwordless methods such as “phone as a token” or FIDO2’s strong, passwordless authentication to improve website security and reduce dependence on passwords. FIDO2 is the set of standards and protocols developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to strengthen website authentication. The added benefit is that such technologies are easier to use, providing a better overall user experience.

Passwordless authentication options for consumers could include use of “phone as a token” where a trusted relationship is established between the individual and their enrolled mobile phone. Phone manufacturers and versions can be managed as part of a “allow / deny list” and potential issues such as jailbreak can be detected. Upon securing consent, the security level could be dynamically adjusted depending on the individual’s geolocation and/or behavior which improves protection for the consumer and employee as well as the company. For private or secure environments like clinical settings or contact centers where a phone may not be feasible, FIDO2 security keys could be an efficient alternative. 

Several passwordless solutions are available that come bundled with hardware and operating systems(like Windows Hello for Business) or even as part of single sign-on vendor capabilities. However, both of these tend to have limited application and cannot work across multiple use cases. Pure play passwordless companies tend to offer the best capabilities and are seeing rapid market adoption. Key considerations for going passwordless include enabling a broad choice of authentication methods, conditional access capabilities, full transparency and control to the security team, as well as an orchestration engine that can be used to effectively manage user journeys.