The Fast Identity Online (FIDO) Alliance is aiming to remove the use of passwords to gain access to online accounts. The group includes tech giants like Microsoft, Apple and Google, and intends to go passwordless – instead using PINs, biometrics, and phone identification techniques. But this approach could be flawed. Julia O’Toole, Founder and CEO of MyCena Security Solutions, highlights the misguided nature of FIDO’s approach. “In the physical world, the difference in applications is straightforward. Your identity is used to identify yourself…it just validates that you are who you say you are.” She adds, “By contrast, your front door doesn’t recognise your identity; instead, you use your keys to unlock access.” By mixing the two and using a single point of access, FIDO’s approach could mean a user losing all of their accesses at once and being open to easy theft.
The European Union (EU) has agreed to new rules aimed at tackling cybercrime. The announcement, made on 13 May, came after long consultations on the contents of the deal. The updated legislation will be known as NIS2, and aims to increase cooperation and resistance to cyberattacks across EU member states. There are also updated incident reporting obligations, especially for the banking and essential services sectors. This is an update to the previous rules, where countries could choose what they classed as “essential” when reporting incidents. The new legislation instead clarifies the rules, placing responsibility on every critical sector to protect, report, and update authorities at every step.
Britain’s cybersecurity unit faced a record number of scams in 2021, a report has revealed. The National Cyber Security Centre (NCSC) reported a total of 2.7 million cases of attempted fraud. Common among those were various phishing and social engineering attempts, fake celebrity endorsements, and extortion emails. The aim of the vast majority of these scams was to obtain credentials or download malware. One scam in particular saw a huge rise in numbers: the number of fake emails claiming to come from the National Health Service (NHS) grew by 1,100%, reflecting the COVID-19 vaccination rollout programme. The NCSC intends to run a public awareness campaign designed to inform the public of the dangers when using the internet.
The new Costa Rican government is on the verge of collapse following a massive ransomware attack. A ransomware gang that infiltrated Costa Rica systems and obtained sensitive data has now said it intends to overthrow the government. President Rodrigo Chaves has only just come to power, perhaps adding to the attackers’ confidence. The Russian-based Conti gang, responsible for a number of high impact attacks, raised its ransom demand to $20 million in an effort to scare Costa Rica into action. Chaves announced that Costa Rica is now “at war”, and has declared a national state of emergency. It’s thought the gang has access to at least 27 government databases, and has warned it will escalate the attack if payment is not made soon.
A cybersecurity expert has warned that ransomware gangs are investing their ill-gotten gains into making attacks more dangerous. Mikko Hyppönen, Chief Research Officer at WithSecure, declared that, until now, cybersecurity teams had the help of artificial intelligence systems designed at preventing attacks. Now, however, he says that criminals might be reinvesting their ransom gains to hire experts of their own. “Some of these groups have so much cash — or bitcoin, rather — that they could now potentially compete with legit security firms for talent in AI and machine learning”, he added. Hacker gang Conti, for example, earned around $180 million in cryptocurrency ransoms in 2021. Some of these profits are now being invested in AI expertise, zero-day exploits, and elite penetration testers. According to Hyppönen, this could create the most significant security threat in years.
Passwords are not as secure as many think – and it’s best if we don’t even know them. In a recent podcast, Julia O’Toole covered the weaknesses inherent in passwords – such as loss or theft – and steps that institutions should take to improve their defences. “There’s a big confusion in business in general, between authentication and identification,” said O’Toole, “but the confusion has really created a mismatch of solutions, which amplify the problem of access insecurity. So, when it comes to authentication itself, the misconception about passwords is that you actually need to know them.” By segmenting systems, taking password management out of users’ hands, and using proper authentication, companies can defend against the disastrous consequences of password loss. “No one needs to know a password ever”, O’Toole concluded.
