Stolen credentials are creating havoc in corporate IT security

According to the 2011 Data Breach Investigations Report from Verizon, “Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security.”

Verizon’s series of Data Breach Investigation Reports now spans seven years and covers over 1 700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

The 2011 report looked at approximately 760 data breaches and found that hacking (50%) and malware (49%) were the most prominent types of attack, with many of them involving stolen access credentials.

The root of all cybercrime: PINs, access cards and passwords.

As in previous years, the report stresses that abuse of traditional credentials lies at the very heart of most cybercrime. It makes perfect sense that this should be the case. Because anyone can use your password, PIN and your card – and you can use theirs.

That last point warrants some emphasis. Your IT (information technology) password, PIN or access card is really not much more of a security measure than the pens on your desk. Just as anyone can use the pens, so, too, can they use your password or your card and PIN. Which is exactly what the cyber villains are doing.

They are doing it on a massive scale. With prices reaching $30 000 (R240 231), usernames and passwords now have the highest value per record on the cyber black market, according to Bryan Sartin, Verizon’s director of investigative response.

Apart from the fact that they are shared, lost and forgotten on a daily basis, such credentials are routinely being exploited by villains who use them to steal corporate secrets and customer data, vandalise IT systems, make fraudulent electronic fund transfers and commit a multitude of identity-based frauds.

Astonishing losses are being caused by the exploitation of passwords, PINs and cards.

Corporate cybercrime is widespread, persistent and very much here to stay. Given that the barriers to unauthorised IT access are so hopelessly weak, it is hardly surprising that cyber villains are causing such immense losses.

A report by the United Kingdom government estimated that in 2010, the cyber theft of corporate secrets cost Britain £16.8 billion. That is R187bn.

Last year, one of South Africa’s leading firms of forensic investigators estimated that white-collar crime is costing the country R150bn a year. And the world’s largest study of occupational fraud, done by the Association of Certified Fraud Examiners estimated that organisations typically lose 5% of revenue to insider villains.

It does not matter if you think you could lose R100 or R100 million through corporate cybercrime. The fact is this: it is almost 100% guaranteed that your organisation’s loss will be caused by someone abusing an IT password, PIN or card.

How inadequate is corporate IT security? Let us count the ways...

Lost, forgotten, shared and stolen – these are the four fundamental flaws within any IT security solution that is based on passwords, PINs and cards. And this quartet of vulnerabilities represents a flaw at the core of IT security.

In addition, managing enterprise passwords wastes a ridiculous amount of money. Back in 2004, RSA Inc, the security division of IT giant EMC, demonstrated that password problems typically cost a 1 000-user organisation over R2.4m a year in helpdesk calls, wasted user time and lost productivity.

Although substantial costs are repeatedly incurred to renew lost or damaged cards and reset forgotten passwords and PINs, these incidents do not usually represent a security threat.

However, because these credentials are so easily transferred between people – through being either shared or stolen – they are routinely used to commit a full range of corporate cybercrimes.

Businesspeople go down with their businesses because they like the old way so well, they cannot bring themselves to change. Henry Ford said that. He is also supposed to have said that if he had asked his customers what they wanted, they would have said a faster horse.

Which is pretty much where we are at with IT security: we want stronger passwords that are automatically changed, or two-factor authentication with PINs and one-time pins, or so-called smartcards with yet more PINs. Faster horses.

What we actually need is a fast, accurate, convenient and secure way to identify authorised IT users. And fingerprint biometrics can certainly give us that.

There are now over 65 000 Morpho fingerprint scanners deployed across South Africa, controlling the physical access for some 2.5 million people in environments ranging from mines to retailers and from factories to colleges. Locally, the world of physical security long ago decided that cards, PINs and passwords have to be replaced with biometrics.

Substantial investments in fingerprint-based security solutions are being made locally because it has proven that they cut the losses caused by unauthorised access and activity.

And is that not what IT security really wants, too?

Mark Eardley

Channel Manager

SuperVision Biometric Systems (Pty) Ltd

Tel: 082 463 3060

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it