The use of passwords, a fundamentally faulty strategy that was developed many years ago, has been the primary method for securing an organisation's internal systems and its customers' accounts for far too long. Despite efforts to provide better, more secure authentication mechanisms, the majority still place the onus on the user.
This includes keeping track of your password, avoiding dangerous phishing sites, not unintentionally disclosing your login information to attackers during a social engineering attack, and resisting the urge to open a malicious push message during a "prompt bombing" attack.
People are more aware of these issues today. However, as human beings often have a tendency to be trusting and make mistakes, crooks find it quite simple to prey on naïve consumers.
In the contemporary era of zero trust, authentication is necessary. Nevertheless, no matter how much education we provide, assuming that individuals will approach authentication with a zero trust perspective will never be successful. Attackers simply have the advantage even though our staff and consumers are wary and watchful.
One-time passwords, magic links, and push notifications are just a few examples of the first-generation multi-factor authentication (MFA) that attackers can now easily get around. Attackers can launch adversary-in-the-middle (AiTM) assaults by using freely available phishing kits and phishing-as-a-service capabilities. Additionally, they have methods for creating phishing emails that are very convincing, including the use of ChatGPT and other AI-powered tools that eliminate red flags like spelling and grammar errors or URLs with weird formatting.
In 2022, attackers employed stolen credentials as the first attack vector in more than 75% of all cyberattacks, according to Crowdstrike's most recent research, which serves as a reminder of the severity of the issue.
The vast majority of data breaches and successful ransomware attacks start with compromised credentials, according to a decade's worth of study from the Verizon Data Breach Investigation Report. As reported by Verizon, major attacks employing a mobile or IoT device increased by 22% between 2021 and 2022, which isn't assisted by remote and hybrid working.
The problem is made worse by the fact that businesses also need to take into account the contractors and employees who make up their extended supply chain in addition to their employees and customers. Criminals can enter the ecosystem if users' identities are compromised anywhere in it.
