Toward the end of 2018, a World Economic Forum survey uncovered that the biggest concern keeping business leaders in Europe, Asia and North America awake at night is the creeping risk of cyberattack: A fear that has begun to infect every outward-looking company.
And it is not hard to see why. According to the Ponemon Institute, the average cost of a single attack in 2018 was $5m, with $1.25m attributable to system downtime and another $1.5m to IT and end-user productivity loss. This is before we even discuss the loss of credibility and trust in a brand following a substantial cyberattack – especially considering the uproar and media storm that generally follows data breaches to the tech giants we had for so long trusted.
In late-2019, the increasing threat of these attacks led Wael Fattouh, a Saudi-based PwC partner specializing in technology risk assurance, to issue a warning that cyber espionage has the potential to not only destroy businesses, but "shutdown entire countries".
This has led to a substantial boom in businesses offering to help companies weather the upcoming cyberattack storm. Jumio is one of these companies, an identity-as-a-service firm, which aims to connect products, apps or services to verify customers' real-world identities and enable companies to understand who their customers are.
In light of some of the shocking stories and statistics to have come to light over the last few years, Jumio CTO and chief scientist Labhesh Patel outlines the trends he expects 2019 will have in store.
The manufactured identity
Synthetic fraud is on the rise and it's particularly difficult to detect and defend against. It usually starts when the fraudster secures an unused social security number – typically that of a minor – and then goes about creating a fictitious identity using various pieces of real and fabricated information such as a name, birthdate and an address controlled by the thief.
The cyber thief can go through a series of steps and tactics (such as "piggybacking" or credit boosting) that can sometimes take months. But they end up creating a highly credible manufactured identity that can wreak all kinds of havoc when used to create bank accounts or defraud e-commerce sites.
Enterprise security teams usually underestimate the risk that an insider poses to the organization. According to thePonemon Institute, the average cost of insider threats per year is more than $8m. High-profile insider attacks, such the attacks at Tesla and Coca-Cola, are on the rise. Nuance was hit by an insider attack where the patient records of 45,000 individuals were leaked by an insider.
The daily data breach.
Let's face it, we don't even raise an eyebrow anymore when we hear that another business has been breached. Your initial thought may be: "I'm glad I'm not on the management or security team for that organization." But those breaches impact your business too. All those breached records end up on the dark web, where other cyber-baddies use that information to assume new identities that can unleash fraud on your organization. A recent report published by cybersecurity firm Shape Security showed that 80–90% of the people that log into a retailer's e-commerce site are hackers using stolen data.
The increased risk of two-factor authentication
The viability of SMS-based two-factor authentication (where a 4-or 6-digit code is sent to your smartphone to help authenticate your identity and grant access to your account) is increasingly being challenged.
Firstly, hackers can intercept the SMS messages through malware placed on your smartphone and initiate man-in-the-middle attacks. The technology is also susceptible to SIM swap attacks that enable fraudsters who have access to one other personal piece of information – like your social security number – to call your carrier and move your number to a new SIM card.
Adding more risky fuel to two-factor authentication's fire is a recent, massive hack of Voxox's database containing tens of millions of text messages, including password reset links, two-factor codes and shipping notifications.
The death of KBA
What street did you grow up on? What's your mother's maiden name? If you've ever been asked one of these questions while logging into a website or resetting a password, you've been subject to a form of knowledge-based authentication (KBA).
KBA is still (inexplicably) one of the most common means of identity verification. Unfortunately, thanks to large-scale data breaches and the dark web, most of the answers to those supposed secret questions are now known by fraudsters, making it easy to sidestep this type of authentication – rendering it useless.
Only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% targets users through social engineering.
Social engineering is a method of deceiving people into giving you their information or exploiting their weakness – or laziness – to find that information. It is believed to be the most frequently used method to get into a corporation's network these days. So, train your people to understand and recognize social engineering attacks. You can even hire companies to launch a mock phishing attack and see who clicks on the naughty links.
The continued phishing threat
More than 90% of malware is delivered via email so it's no surprise that email continues to be criminals' go-to method for distributing malware. According to the most recent statistics from the FBI's Internet Crime Complaint Center, the most costly form of cybercrime stems from a complex type of fraud known as the "business email compromise (BEC)" scam.
A typical BEC scam involves phony emails in which the attacker spoofs a message from an executive at a company or a real estate escrow firm and tricks someone into wiring funds to the fraudsters.