eBay Hack: Outdated Password System Means Huge Cyber-Attacks are 'The New Normal'
The computer password is a 50-year-old system which has beome "a bit of a nightmare" and only good for preventing "casual snooping" according to the man credited with inventing it back in the 1960s, Fernando Corbató.
Corbató was speaking prior to the latest major cyber-security breach, this time at eBay, which has once again called into question the use of passwords as a secure online security verification method and has lead academics and security experts to warn that massive data breaches like eBay's have become "the new normal".
EBay became the latest high-profile victim of a massive data breach when the online auction site announced on Wednesday that one of its databases had been hacked, potentially exposing details from up to 233 million accounts.
Experts have speculated that the most likely method of attack was through a spear-phishing campaign, which involves targetting employees at a specific organisation with fake emails that require the worker to enter their username and password. With this information, the cyber criminal is then able to masquerade as the employee and gain access to sensitive data.
Professor Alan Woodward, head of the department of computing at theUniversity of Surrey, believes that multi-national companies like eBay should be treating its customer data "like the Crown Jewels", but weak security protocols involving only usernames and passwords mean that not enough is being done to protect it.
"Reading between the lines of the company's brief statement it appears that employees have been hit by a phishing attack, falling for a scam and tricked into giving their credentials away," Woodward said. "If this information was only protected by username and passwords, and employees were so easily duped it really is concerning."
It is not just the log-in credentials of employees that are exploited to gain access to sensitive data, once inside a company's system an attacker can then use customer's usernames and passwords to carry out further criminal activity.
EBay has urged all of its customers to change their passwords, though security experts have warned that simply changing a password is not going to remedy what has been widely criticised as a much deeper problem.
"The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today," said Brian Spector, CEO of CertiVox.
"This incident is just the latest in a long line of attacks that highlight the need for the wider technology industry to take another look at the methods that they employ to secure services and data."
The problem with passwords
In a recent interview Corbató said the advent of the world wide web has meant that passwords are both inadequate as a method of security verification and difficult to manage.
Corbató, credited with having created the first known computer password in the early 1960s, told the Wall Street Journal that passwords had become "a bit of a nightmare".
"First of all, we didn't foresee the current internet," Corbató said. "Passwords are not a super high level of security, but are enough to protect against casual snooping."
The fact that a technology that is over 50 years old is still being used to protect vast amounts of sensitive data makes the number of cyberattacks in recent months unsurprising, according to Maty Siman, CTO of software analysis firm Checkmarx.
"It is not surprising that eBay's site was breached, and attacks like this can definitely be considered 'the new normal', as we've seen the last few weeks," Siman told IBTimes UK. "Major organisations are compromised on a daily basis, jeopardising a huge amount of sensitive user and company information."
No clear successor
The problem at the moment is that there is nothing that has stepped in to take the place of the outdated and ubiquitous username and password system. There are many alternatives, but none are yet widespread enough to suggest that any single one will hold the key to the future of online security.
A method being currently employed by companies like Google and Twitter is multi-step verification, a system that requires users to enter a password as well as a code sent to their mobile phones.
As a result, the process becomes arduous and even more cumbersome and clumsy than simply remembering multiple passwords.
One of the biggest rising verification methods comes in the form of biometrics. Fingerpirint scanners on mobile devices are becoming more prevalent, with some smartphones even including heart-rate monitors.
Such methods inevitably raise privacy concerns and fears about the type and amount of data being stored by large companies like Apple and Samsung.
Other more left-field solutions have come in the form of pictures, tattoos and even password pills, however these methods raise numerous concerns of their own and are many years from real-world implementation.
Until a new technology worthy and widespread enough to replace the password, it seems that log-in credentials for both employees and customers will remain one of the easiest ways for criminals to compromise companies and exploit customers' data.
It therefore seems, for now at least, that no matter how many times users are asked to change their password, it will continue to be a matter of when - not if - the next major breach will occur.
© Copyright IBTimes 2024. All rights reserved.