By Brittney Liburd, Senior Product Manager, authID.
It’s time for the market to do something about incomplete MFA for consumers.
What Happened During the PayPal 2023 Hack?
In early December, PayPal identified unauthorized access into users’ accounts. Only now— more than a month later—users are receiving notifications about the breach. This latest breach is an interesting case to discuss because this breach exposed lifetime data such as dates of birth and social security numbers that will be usable for fraudsters for a long time. In addition, breaches like these do not compromise company systems but cause consumer agony, distrust, and negative press. This is a clear signal that CIAM needs to catch up with modern IAM and better protect individual users with stronger, more secure authentication.
For decision-makers in CIAM, customer identity and access management, this blog post should be of particular interest as we cover the facts of the PayPal hack and what it means for your cybersecurity strategy through 2023 and beyond.
Without Strong Authentication, Hackers Got Unauthorized Access to PayPal Accounts
Credential stuffing attacks hit PayPal users. What are credential-stuffing attacks? Credential stuffing utilizes reused passwords found, stolen, or bought from previous breaches. These passwords are repeatedly entered until a credential/password-pair successfully gave the bad actor access. The compromised PayPal users were likely not using unique passwords online. Rather, the victims probably created the same ‘credential plus password’ pair across multiple accounts and sites. This weak password-reuse practice enabled the hackers to brute force their way into nearly 35,000 PayPal accounts.
These 35,000 accounts exposed addresses, SSNs, dates of birth, and other highly sensitive information to bad actors, who now have a treasure trove of lifetime data that can be sold online or used by the thieves to commit more unauthorized access, account takeover, and fraud.
Without MFA, accounts are most vulnerable since passwords are too easily stolen and shared, and are the weakest form of authentication.
PayPal Responded With Monitoring and Support for Breached Accounts
Though this attack occurred between December 6, 2022, and December 8, 2022, PayPal did not discover the breach until December 20th, and then did not notify users until almost a month later in January. In addition, PayPal reset all passwords for impacted accounts and is providing affected customers with identity theft monitoring services via Equifax for the next two years.
But is it enough? Password resets and ongoing monitoring are great, but shouldn’t PayPal and other consumer-focused organizations focus on preventing successful attacks in the future? And if so–how?
In 2022, Microsoft reported that only 22% of its Azure Active Directory (AD) customers used a multi-factor authentication solution to secure their accounts in the previous year; market research has returned year after year pointing at user experience as one of the prime drivers of MFA resistance in users. If given a choice – users often forgo MFA because of the additional friction associated.
4 Things PayPal and All Consumer-Focused Organizations Can Do To Prevent Credential Stuffing and Account Takeover
- Remove passwords from the authentication workflow. When you eliminate passwords from the authentication workflow, you remove the most common vector for data-breach. Use policies and controls that will prevent and cap repeated attempts at login
- Do your research! All passwordless solutions are not the same – the most popular solutions for MFA are phishable and/or susceptible to prompt-bombing and other attacks that leverage human behaviors or thought processes
- Find the best user experience, then strongly encourage MFA. Users hate the legacy MFA experience – where multiple devices and texted or emailed OTP add friction. Find solutions that don’t sacrifice CX for security or vice versa. For example, Verified™ can be delivered seamlessly in a browser on any mobile or desktop device. If users are reluctant to add MFA, make repeated efforts to educate and convert these users into MFA adopters.
- Use human factor authentication (HFA). You can’t stop users from using the same password across accounts and sites, but you can make the password obsolete. You cannot force users to ignore MFA prompts which enable prompt bombing, but you can remove prompts from the workflow and thus this avenue of compromise. To prevent unauthorized access, account takeover, and fraud due to credential-based attacks like credential stuffing – the human factor of authentication – should be considered.
Wait, What is HFA?
Human Factor Authentication™ or HFA eliminates passwords by combining FIDO2 (Fast Identity Online) passwordless authentication with biometric certainty to identify the human behind the device. As a hybrid approach to MFA, HFA combines what the user has with who the user is, the proven way to combat the prevalent threats facing organizations today.
Device possession is proven using FIDO2 passkeys, an open standard that combines a cryptographic key stored on the device and device based biometrics or PIN. For account activity where stronger identity assurance is needed, user identity is verified using a cloud selfie, bound to the user’s identity. Combined, these two factors provide high assurance of the user’s identity, moving organizations further during their Zero Trust journey more efficiently than rip and replace.
HFA removes passwords and other phishable factors from the authentication workflow, thereby closing the most used vectors for unauthorized access and significantly reducing the incidence of successful account takeover.