Many people have heard of the massive cyberattacks on casino giants MGM Resorts & Caesars. Everything from room keys to slots machines were affected. Like many recent breaches, it’s a warning to improve security around digital identities — because that’s where it all started.
This breach has a similar origin to other breaches we’ve seen in recent months: social engineering and impersonation.
Hackers tricked MGM’s IT Department into resetting valid logins. They then launched a ransomware assault. The same group has allegedly launched a series of attacks on various sectors, including Caesars Entertainment. Caesars paid $15m to recover its data days before MGM’s attack.
The fact that casino companies — which live and die by their investment in security — could be breached so boldly exposed a basic blind spot in many networks: they don’t have enough checks and balances to ensure the people using their system are who they claim to be.
Face recognition technology will quickly identify and remove a known card counter from the casino. Many gaming companies still use passwords to protect their digital networks. This has proven to be a weak link when it comes identity and access management.
Vulnerabilities in Identity Management Exposed
The MGM hack shows how vulnerable identity management system are to hackers if they focus on identity authentication rather than identity verification. Hackers can manipulate a system with just the right amount social engineering. The root cause of this problem is to prevent hackers from logging on.
Multifactor authentication has been used for identity authentication in the past. This usually meant that a push notification was sent to a user’s mobile phone or an one-time code was texted. Even multifactor verification has proven vulnerable.
Hackers who have some basic information can contact a mobile provider pretending to be a customer angry about having to activate a brand new phone. They can then transfer the entire contents of the victim’s smartphone to their own. Recent attacks on cryptocurrency platforms were traced to “SIM-jacking.” Thieves reportedly Tricked T-Mobile to reset the phone of a consultant managing the bankruptcy operations of crypto platforms.
Now, the bad guys have all kinds of tools at their disposal. They can use artificial intelligence or deepfakes to pass off an Eastern European as a New Yorker with a modern phone. While businesses pay the price for not utilizing readily available technologies to modernize identity stacks,
Genuine Verification: Beyond Biometrics
Access management has evolved in the 60 years following the invention of the password. From sticky notes to various authentication methods designed to prevent credential theft or abuse. Push notifications are a popular tool, but they can be vulnerable.MFA fatigue.”
Apple’s Touch ID, Face ID, and other biometric authentication features have become popularized. Cell phones, however, can also serve as tools for hackers.
Authentication Keys, which rely upon a physical token in order to generate a verified code, are a step up from MFA, and improve authentication standards such Fast Identity Online. Google even went one step further by creating a key which is encrypted. resistant to quantum decryption To protect against hackers with quantum computers.
All these methods of authentication still rely on passwords. These methods bind a user’s true identity to their device – typically a cell-phone – rather than the actual proof of identity that is verified by biometrics, government issued IDs or other reliable documents. IAM has to evolve and modernize from simple authentication to real identity verification.
Financial Consequences of Breaches
You will need to invest in time, money, and effort to modernize IAM, but the benefits are worth it. Just look at data breaches. MGM Resorts revenue losses The breach could cost the company up to $8 million a day. Stocks of the company also took a big hit after the news was released.
The first step is to collect biometrics from authorized users such as employees and partners and to create an account. These documents will be used to verify the identity.
A verified credential — such as digital employee identification cards, digital passports, and digital educational certificates — will include metadata that cryptographically proves who issued it, and tampering would be spotted. Biometrics, like passwords, can be stolen. That’s why they need to be protected. Blockchain has been proven to be a reliable technology for protecting digital assets. Why not use it as a way to protect your most valuable asset – your identity?
Information security can use audit logs which are immutable and go with distributed ledgers to ensure that, if anything goes wrong, they can track who has accessed resources when and how.
They can then check to see if the Live ID (a “real” biometric), was used. This makes it easier to find out what happened, and act before the hack’s radius grows.
Rethinking Authentication for the Digital Age
Most of the identity authentication that is used today involves copying and pasting. It’s not a biometric log in; it’s just being used for copying and pasting a password into an app. In the end, it is just a measure to save time, not for security.
Even passwordless authentications have a username/password somewhere. Even if bad actors steal the username and passcode, they can still set up workflows for another system. Once they reset the original password, they are good to go. The password remains at the heart of the identity verification process.
MGM, Caesars and other businesses are facing the same threats when it comes to identity-based security. Security must take a proactive approach against hackers by shutting down logins and replacing authentication with cryptographically verified identities. Allow users to re-verify their identity whenever continuous monitoring flags an excessive risk in relation to their online behavior.
You can use it whenever you want. You can also find out more about the following: You’ve got an issue if you vouch for someone else’s identity. Can an one-time code, or a device, truly replace an identity? IAM must be modernized. It needs to connect with people — real people, not devices.