Hackers have proven time and time again that they’ll eventually find a way to defeat any single digital security method. Their motivation to do so is evident in the fact that, on average, more than 150 000 new, unique malware strains are unleashed each day. That’s one of the startling conclusions drawn by analysts from the Aite Group in the report “Cyberthreats: Multiplying Like Tribbles” that was released earlier this week.
Tribbles were fictional creatures featured on the TV series Star Trek. They multiplied so rapidly that their consumption of resources grew exponentially. The same appears to be true of cybercrime. Julie Conroy, research director at Aite’s banking division and coauthor of the report, told IEEE Spectrum that last year, hackers were pumping out 72 000 new malware strains per day, less than half of the current level of cybercrime activity.
So, what’s the upshot? According to the report, “The username/password combination as an authenticator is officially broken…the sole relevant use of this combination is now that of a database look-up mechanism.” More than half of computer users don’t follow security experts’ advice to choose different, strong passwords for each of their online sign-ups—which allows a blaze in a small thicket to engulf a person’s entire online forest, so to speak. But what if you do follow best practices? “Nobody is ever 100 percent secure,” is the report’s sobering conclusion.
It does, however, point out steps that businesses such as banks, which are the primary targets of cybercrime, are taking to make a hacker’s job harder.
Among them are new ways to prevent a hacker from pretending to be an actual customer. Technology is available that will allow your bank to generate a “device fingerprint” for the computer, tablet, or smartphone you regularly use to conduct transactions. Business conducted from an unknown device automatically triggers more authentication steps.
Firms are also looking to use behavioral analytics. The vendor would collect data about how the customer interacts with, say, his or her smartphone. If the person using the handset owned by John Q. Smith (confirmed by the device fingerprint) doesn’t press the keys or swipe the touch screen the way Mr. Smith usually does, red flags would be raised.
Asked whether these security measures might be considered too intrusive, Conroy says they’re built into the process so that the average customer doesn’t even know it’s happening. “The aim is to perform a balancing act,” she says. “Businesses are asking themselves: How do we enable a secure environment without appearing to be Big Brother?”
Striking that balance may be impossible—especially in light of the fact that the U.S. government has and continues to force companies to turn over customer data. Conroy,whose research focuses on fraud, data security, and preventing money laundering, acknowledges that these new strategies may be implemented at the cost of a little privacy. But, she says, the alternative may be the loss of online and mobile channels for conducting business as the benefits of e-commerce are devoured by the rising tide of Tribbles. How much is being consumed? The report predicts that businesses worldwide will suffer more than half a billion dollars in losses from corporate account takeovers. Cyberthieves will take nearly US $800 million in 2016, say the analysts.
Image: Paramount Pictures
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.