Target, Dead Passwords & Two Factor Authentication

    December in Review: Target, Dead Passwords & Two Factor Authentication

    Happy New Year! For many people, the New Year is time for a fresh start, both in their personal and professional lives, but before we let 2013 fade completely from our rearview, let’s take a look back at the month of December and see what we can learn.

    The Big Story: The Target Breach

    From a data security standpoint—and the standpoint of nervous consumers throughout the country—the credit breach at Target  was one of the biggest stories of the month, if not the entire year. According to investigators, cyber-thieves stole the credit card information for up to 40 million accounts in an attack that spanned the months of November and December. According to the Associated Press, “The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards.”

    While Target won’t say how this breach occurred, there is still much to learn from it. Perhaps most importantly, exposing your customers’ sensitive financial information at the height of the holiday shopping season isn’t very good for business. Again, from the Associated Press:

    “Litan added that the company could also face class action lawsuits from consumers, though most of them will be meritless, and fines from federal agencies. When combined, the costs of the breach could be so steep that they actually prompt Target to raise prices, she says.

    ‘The real winner in this is Wal-Mart,’ she says.”

    ‘The real winner in this is Wal-Mart,’ she says.”

    My Take

    Most of the businesses I work with (and the businesses they work with) are much, much smaller than Target, but I think this unfortunate episode really demonstrates why the Payment Card Industry (PCI) is so serious about protecting credit card and debit card information. Businesses of any size face serious consequences when they betray their customers’ trust and let their personal payment card information fall into the wrong hands.

    We don’t know exactly what went wrong at Target but you can be sure of this: If there is any chink in your data security armor, cyber criminals will find their way through it. Passwords are often a weak spot. They may not have been the problem at Target but they might be the problem at your business. Make 2014 the year you tighten up your password practices or—if you’re an MSP—the year you help your clients tighten up theirs. It’s a good idea all around: for security, customer confidence, and regulatory compliance.

    Are Passwords Dead?

    Some media outlets took advantage of the end of the year to claim the death of passwords. InformationWeek did it (“2013: Rest In Peace, Passwords”) and so did CTV (“Will 2014 be the beginning of the end for the password?”). This is a theme, I think, we see more and more often throughout 2014 and beyond.

    As you probably already know if you’ve read anything on this blog, passwords, on their own, are a fairly weak form of protection, when you come right down to it. Given enough time and computing power, even random passwords can be hacked, and the truth is, most people don’t use random passwords. Most people use the same dictionary-derived passwords over and over and over again. It’s one giant security breach after another waiting to happen.

    I agree with these articles that the future of authentication is going to multi-factor authentication (MFA) for almost every system and site people access—for personal or business reasons.

    There’s just too much sensitive information floating around out there protecting by flimsy passwords, just waiting to be swept up in a Target-like breach. It won’t take too many more of those before multi factor authentication takes off worldwide.

    Ready to Get Started?

    Let's Talk