Authentication Critical In Cyber Security War

The business world is at war, not only with competitors, but a war to secure access to their information and applications.

February 19, 2013

The business world is at war, not only with competitors, but a war to secure access to their information and applications. The unfortunate reality is that while business leaders know they are at war, they are prepared to tackle a highly skilled and motivated enemy with inferior weapons and tactics.

“Just last year R42 million was stolen from Postbank over three days due to cyber fraud and millions have been lost in other frauds for similar reasons,” says Hedley Hurwitz, MD of Magix Security. “The primary reason is that organisations are happy to authenticate people by means of virtual identities, i.e. passwords, pin numbers, etc.”

Passwords and PINs (personal identification numbers) are seen as an acceptable way to control the access people have to sensitive applications. The idea is that if you enter the right PIN and/or password, you must be the right person to authorise a transaction.

“This is simply not true,” explains Hurwitz. “PINs and passwords can be stolen, guessed, bought or cracked, so organisations only approximate the identity of the user, they do not authenticate.”

Your average CEO or CIO would be very angry if their bank allowed someone else to withdraw money from their account, giving the excuse “well we thought it was you”. However, this is exactly what these executives are doing in their own companies.

Noting the importance of reliable authentication, The South African Cyber Threat Barometer 2012/3 notes: “Although software and security technology has improved, logon credentials are the main information asset targeted or compromised during a cyber attack.”

This is simply because once you have an individual’s login credentials, the system assumes you are that person and assigns you the rights that person has.

If you want to authenticate an identity, you need to have a foolproof method of proving the user is who they claim to be. Knowing a password proves you know a password, not that you are a particular person. Fortunately, proper identity authentication is actually quite simple to achieve these days through biometric technology.

“Biometrics has advanced to the stage where it is fast, reliable and almost impossible to crack,” adds Hurwitz. “This is proven in the fact that South Africa is one of the most advanced countries in the world when it comes to biometrics, with millions of blue- and white-collar employees authenticating their identities each day on various biometric devices.

“More importantly, you can’t lose or forget your fingerprint, face or palm at home, so you never need help in gaining access to everything you are authorised to. Put simply, biometrics takes the war to the criminal by enforcing strict identity authentication that can’t be cracked by staring over someone’s shoulder while they type in a password.”