Have you ever responded to an unsolicited email from a barrister located in Nigeria who, out of the blue, contacted you? For some inexplicable reason, he saw you as a kind and generous person who undeniably deserved his late client’s inheritance of millions of British Pounds. Well, I have! I just wanted to see what the scam was about. After a couple email exchanges during which I received photos of the recently deceased client – always dressed in the same clothes, including in the framed photo that was clumsily photoshopped and pasted on top of a casket – I was asked to send $500 via Western Union to Senegal (red flag!) to pay for the paperwork and get the process started.

Phishing, Vishing and Smishing in a Nutshell

The Nigerian inheritance email is a prime example of a phishing attack. And along with technological advances, other types of attacks have appeared in recent years, such as vishing and smishing. Let’s take a quick look at what they are:

  • Phishing is a type of social engineering attack used to steal user data, which includes login credentials and credit card numbers, for example. Phishing happens when an ill-intentioned individual, posing as a trusted entity, dupes a victim into opening an email, instant message, or text message.
  • Vishing is similar to phishing, except the criminal tries to gain information over the phone. If you want to see an example of vishing and spend a lovely time with your family this weekend, watch the movie “Identity Thief” starring Melissa McCarthy and Jason Bateman.
  • Finally, smishing is short for SMS Phishing. Hackers send bogus links via text instead of email.

All of the above attacks are designed to compromise essentially 5 types of data: credentials (passwords, usernames, pin numbers), personal data (name, address, email address), internal data (sales projections, product roadmaps), medical (treatment information, insurance claims) and bank (account numbers, credit card information).

The Consequences of Phishing, Vishing and Smishing Attacks.

Now, a few staggering statistics:

  • 1 in every 99 emails is a phishing attack (Check Point Research)
  • 32% of data breaches involve phishing (Verizon Data Breach Investigations Report)
  • 29% of data breaches involve use of stolen credentials (Verizon Data Breach Investigations Report)
  • 64% of organizations have experienced a phishing attack in the past year (Check Point Research)
  • 22% of organizations list phishing as their greatest security threat (EY Global Information)

The average cost per compromised record is $150 (IBM’s Cost of a Data Breach Report). Reportedly, 5.2 million records were stolen in Marriott’s most recent breach, so allow me to do the math for you: a potential cost of $780 million. In fairness, no one is immune to a data breach. The average breach costs businesses $3.92 million. The costs can be broken down into several different categories, including loss of productivity, damaged reputation, direct monetary loss, compliance fines, etc.

Is there a remedy or better, a vaccine, against these forms of cyber-attacks?

The Vaccine to Protect Against Phishing, Vishing and Smishing Attacks.

With regard to users’ authentication, there is vaccine of sorts, and it leverages advanced biometrics as well as Blockchain technology. 1Kosmos BlockID is the next-generation contact-free authentication solution that goes far beyond what 2FA, MFA and most passwordless applications on the market have to offer. The company’s platform is built on three pillars: Enrollment, authentication and verifiable credentials. The goal is to focus at all times on ID proofing, which is the irrefutable approach that is used to verify and authenticate the identity of an employee or a customer who accesses a system or application.

Enrollment Process.

The enrollment of employees and customers in the BlockID mobile app consists of triangulating a given claim (ID photo, address, last name, etc.) with a multitude of company or government-issued documents (driver’s license, passport, etc.) as well as sources of truth (AAMVA, State Department, passport’s issuing country, passport chip, credit cards, bank account, etc.), including biometrics like a liveness test. The liveness test is performed to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person. This biometric feature is essential because, ultimately, facial spoofing which is the task of creating false facial verification by using a photo, video, mask, or a different substitute for an authorized person’s face is not too difficult if someone really wants to impersonate you. BlockID’s enrollment reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.

Authentication Process.

The biometric identifier BlockID leverages for authentication is a liveness test. Each time a user needs to authenticate to access a critical system or transact financially, he or she performs a liveness test. If it doesn’t match the liveness test performed during the enrollment process, the authentication fails. Moreover, a liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’s rather not share their face with the company they are targeting. BlockID’s authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.

Verification Process.

The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials in their digital form. Verifiable credentials are tamper-evident credentials that have authorship that can be cryptographically verified. Users can share them through API calls with third parties and with explicit consent. Thus, the BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus eliminating data verification costs in the process. Our verification process is fully W3C compliant. It means that the digital credentials we leverage respond to a specific standard and format and go through a secure and vetted verification process, so they can’t be shared or leveraged to commit fraud. Moreover, they respect a robust privacy strategy, so they can comply with regulatory requirements across legal jurisdictions. Finally, the attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.

Lastly, BlockID’s distributed ledger technology stores users’ data encrypted and creates a permanent, immutable record that is invulnerable to tampering.

3 Main Benefits to Conclude…

BlockID creates a paradigm shift in the passwordless industry by bringing 3 main benefits:

  • BlockID proofs the identity of an organization’s employees and customers. In other words, the organization can be certain that its employees and customers are who they say they are… Always. Indeed, the levels of identity and authentication assurance per the NIST 800-63-3 guidelines that BlockID reaches simply make impersonation impossible and giving away or sharing purposely credentials a worthless enterprise.
  • The costs of deploying 2FA and MFA solutions that require hardware is eliminated. So is the cost of installing biometrics stations throughout a facility for fingerprint or iris recognition, for example. BlockID is an app installed on the user’s smartphone that gives physical and logical access to whoever authenticates successfully.
  • Distributed ledger technology is immune to hacking. Therefore, the potentiality of a data breach is eliminated. This is why BlockID leverages this technology to securely store users’ identity information encrypted, with access controlled by the user (GDPR compliant).
Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More