Secure biometric authentication from authID stops account takeover

Sacre Bleu! Half Of France Is Breached By The Simplest Hack

How 33 Million Identities Could Have Been Spared The Risk

By Jeff Scheidel, VP of Sales

A friend of mine in Paris who owns an “appartement” (here, we’d call it a condo) recently had a new sofa delivered. It had to be brought up on a crane and pulled through the window. While this was going on, a couple of other pieces of furniture somehow walked off. Luckily he spotted them covered up in the truck and was able to retrieve them. If only all crimes in France could be that easily thwarted.

In yet another attack on the healthcare industry, two French health providers were hijacked, putting the data of tens of millions of French citizens in the line of fire. As the former Secretary General of the data protection authority admitted, France has never before been victimized by a breach of this scale. Over a five-day span, Viamedis and Almerys, organizations providing health services to French citizens, were violated through phishing assaults, allowing hackers to take over health professionals’ accounts.

The exposed data included birth date, national ID, marital status, and other sensitive items. Fortunately, no medical or bank data, mailing addresses, phone or email were taken. But any data that’s taken can always be combined with data from other sources to compile more complete profiles and do plenty of damage. Authorities in France are already warning of the increased risk of additional phishing scams, as well as social engineering, id theft, and insurance fraud for the exposed individuals.

When you as an individual are victimized by such a scam, it’s awful. Your identity gets compromised and your assets get stolen. Terrible stuff. But when you are a privileged user, such as the health pros in this case who had access to privileged data on provider portals, you’re doing a number on everybody else. Privileged accounts are examples of what Stan Lee first wrote about Spider-Man: with great power comes great responsibility. And great risk.

It’s astounding how, in the digital age, an entire country is only as strong as its weakest link. In this case, health professionals falling for a pretty dumb hack in which they clicked on links from seemingly innocuous sources put vast numbers of people at risk. We warn people, over and over, about not clicking on such things. Don’t fall for too-good-to-be-true offers. Don’t believe out-of-band requests from what appear to be authorized people. Hover over those “from” addresses to see what’s really behind them. Don’t send money to that hot body who wants to marry you, sight unseen, but needs some crypto first so they can afford to fly into your arms. Just just just just don’t do it.

And still it happens. For all practical purposes, all of us might as well be as dumb as some of us.

We’ll never be able to solve for users’ foolishness, gullibility, naivete. It can’t be done. We will always have those among us who are just plain, well, dumb. And all it takes is a second to click on a single link that will blow up the whole enterprise, in this case half a country.

So how to solve for this madness? Easy. Just assume this stuff will happen. When a privileged user comes knocking, assume it’s not them. Make them prove themselves, even if you think they’re already logged in.

Usernames and passwords can be stolen. So can devices and hard tokens. Thieves can know what you know, and take what you have. Often, before you even discover a theft and take action, it’s too late.

But thieves can’t be YOU. This is why biometric authentication is the last, best defense against identity spoofing. Voice, fingerprint, face, these are the biometric signals that are yours to offer. And wow, that’s sounds easy, too. But it’s not, and here’s why. Deepfake voices can be delivered over a microphone, and they’re really, really good. I can take some samples of you doing Shakespeare or ordering a pizza, and generate a version of you asking the help desk to reset your password, or even asking your own device to let you into the system.

The most common personal device manufacturer has done away with fingerprint scans. This means that any authentication scheme requiring your thumb squeezes out a lot of the population, by a large ratio.

This leaves the last, best biometric signal we have: facial. Facial recognition, in which our self-image must be validated against a previously registered capture (as well as corroborating data such as a physical identity document), is a powerful tool in safeguarding our individual accounts and assets. But it’s even more vital in protecting access for privileged users. One of the words commonly used in the various articles regarding the attack in France is “scale.” The vast scale of this breach is what makes it so horrifying. The compromise of a privileged account allows for such scale. So a solution for protecting the enterprise must also scale.

At authID, we provide the market-leading technology for onboarding users, including capturing and validating their physical id and selfie. These are evaluated separately as well as together. We ensure that an actual, proper, legit document has been provided, by checking a variety of security markers. We then do the same with the selfie, to make sure it’s a picture of a live person, and not a picture, printout, screen, or fake. Our liveness checks do just that, make sure you’re a warm body taking that picture, to prevent what are commonly called presentation attacks.

After ingesting the document and selfie, we make sure the image on the document matches the selfie. Only then do we say we’ve got a legit body on our hands, someone who can be registered.

Subsequently, each and every time that user returns to log in, they present their face once more, and we match that against the digital hash, or template, of the face they first provided. In this way, we know it’s still them.

And by the way, this is all done through a friendly, friction-free user experience. If you don’t make it easy, you don’t get adoption. People abandon the process. You ace out people who are less tech-savvy. So we make it simple, seamless, inviting. You want people to use a platform like ours, because we keep it secure. Users still get their access, but on terms that keep everybody safe at scale.

Deepfake faces are getting scary good. Most recently, a finance department employee at a multinational company was tricked on a conference call by what looked and sounded like – no kidding – multiple colleagues, in an elaborately clever ruse. The combination of AI-generated voices and faces fooled the employee into sending $25 million to the criminals’ account. Our patented technology roots out these kinds of fakes and prevents their access during authentication.

One more thing: if a user suffers a lockout, if for any reason their access is interrupted, they only need to once again provide their face, and they can recover that access. Password resets can not only be a hassle, they’re also chronic targets of bad guys who use dark web info to reset creds and seize control of user accounts.

Enabling facial biometric recovery not only takes a load off the help desk, it prevents situations such as what happened in Vegas last year, when two major casino operations were victims of ransom attacks where help desk personnel fell for voices on the phone who asked for password resets and were not verified.

French, English, Australian, American, we’re all just people who want to go about our business safely and happily. So we need safeguards in place so that all of us can be safe from some of us.

Give us a call at authID and find out why we are a leader in biometric authentication that stops account takeover with a premium on user experience.