The Marriott data breach, which exposed 500 million guests’ details over a four-year period, highlights the need for stronger identity proofing procedures and hardware-based strong authentication to limit the fraudulent use of stolen data, the Secure Technology Alliance said today in a press release.
Consumers and businesses should be aware that all personally identifiable information has utility for cyber criminals. Information as basic as an email address can be used in targeted social engineering, phishing and other attacks. According to the release, account takeover tripled in 2017, reaching a four-year high.
And, while businesses still need to invest in technologies to protect against breaches, it is important to acknowledge that a huge amount of identity information is now available on the dark web and to act to minimize its value to criminals.
Businesses can take several actions to take to better protect data and minimize fraud risks:
- Institute more stringent identity proofing procedures to prevent new account fraud, looking to NIST’s SP 800-63-3 for guidance.
- Give consumers the option to use multifactor authentication to combat account takeover.
- Mandate hardware-based strong authentication backed by cryptographic security with a smart card or FIDO security key for all employees authorized to access data.
- Encrypt all data and store encryption keys locally — not in the cloud.
The nonprofit Secure Technology Alliance is committed to developing and sharing best practices around security, privacy and data protection, the release said. The alliance plans to engage the industry in further discussions in 2019 and begin putting forward recommended best practices on identity proofing and authentication that the industry can adopt as a whole.