Just moments ago, Solutions Review reported on the Marriott breach. Easily one of the most signficant and devastating of all time, the Marriott breach surprised us all. But the question is: what does it all mean? What can enterprises learn from this attack? How can they protect themselves against future breaches of this magnitude?
To gain perspective on these question, we got the opinions of 4 security experts on the Marriott breach. Here are their thoughts, edited slightly for readability:
John Gunn, CMO, OneSpan:
The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. It’s impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more that stolen credit cards on the dark web.
Michael Magrath, Director, Global Regulations & Standards, OneSpan:
The vast stores of personally identifiable data on the Dark Web continues to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed. Having the databases in the same place makes things even easier for the bad guys.
Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.
Gary Roboff, Senior Advisor, the Santa Fe Group:
How could a breach like this continue for 4 years?
If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.
While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly
Bimal Gandhi, Chief Executive Officer, Uniken:
Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.
Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well. Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.
Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network.
Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.
Latest posts by Ben Canner (see all)
- 2020 Vendors to Know: Identity Governance - July 9, 2020
- 2020 Vendors to Know: Privileged Access Management - July 7, 2020
- 3 Authentication Myths to Avoid In Your Identity Management - July 1, 2020