The recent, and largest, cyber attack ever on a state government in the US, shows that attacks on third-party credentials - which can be used in identity theft frauds - are becoming more and more commonplace.
The problem, says Andy Kemshall, chief technology officer at SecurEnvoy, is that public sector organisations in the US have a lot of identity information on citizens in their database, including payment card details.
“US credentials such as the person’s social security number, name, address and payment card details, are pure gold when it comes to identity theft information, which has now become a global cybercriminal commodity business,” he said.
“The South Carolina state computer system hack is notable for the volume of data – 3.6m social security numbers and 387,000 credit plus debit card credentials – that were stolen, and which can be used by cybercriminals to create cloned payment cards and apply for credit plus bank accounts in the victim’s name,” he added.
Even with a conservative $3.00 rate per card information set, that means the cybercriminals could grab more than a million dollars for selling on the credentials they stolen in this data theft, he explained.
More than anything, the SecurEnvoy CTO says, this highlights the immense profits that can be derived from a short period targeting and hacking a public sector computer system, after conducting reconnaissance using an automated set of hacking tools to probe likely IP addresses on the Internet.
And coming against the backdrop of the NHS having lost 1.8 million sets of patient records in the last year, he notes, there is a big question mark hanging over the security of government systems, which could be targeted in a similar fashion to what is happening in the US.
The NHS, he adds, has come in for understandable criticism for its data losses over the years, as have several councils, but given the fact that the government – at both local and national levels – is short of money in these straightened times, IT professionals in the public sector clearly do not have the security resources that are available to the private sector.
Given the widespread ownership of mobile phones – with almost every adult now carrying one in their jacket pocket or purse – Kemshall says there is a strong argument to harnessing the mobile as a means of authentication when accessing data on a public sector computer system.
This is what security experts call tokenless two-factor authentication ((2FA)) and secures an IT interaction with `something you have’ (the handset) and `something you know’ (the challenge authentication data) across an easy-to-use system (the mobile network.
“Implementing tokenless (2FA) using a mobile is a very easy and low-cost way of securing access to large data repositories in the public sector, both with employees and members of the public, where appropriate. This contrasts with the relative insecurity of conventional ID/password credential-based systems,” he said.
“We call this BYOT – Bring Your Own Token – and means that organisations gain access to a secure authentication methodology without all the expense and administration involved with hardware tokens, but still retaining all the convenience and security,” he added.