How to mitigate social engineering attacks with guaranteed identity assurance 

This week in Australia has seen one of the most damaging examples of data theft imaginable. Medibank, Australia’s largest private health insurer, has admitted the personal data of every single member has been stolen by unknown hackers. What makes this incident even worse is the claims data of many members, including medical conditions and treatments, was also stolen. If published or sold, this is one of the worst violations of privacy to a citizen, the loss of personal health information.

Coming literally weeks after the Optus hack, Australia’s second-largest mobile network provider, the Australian public, and Government want answers. The answer, though shocking, is actually simple. Neither of these breaches involved getting through network perimeter defenses or any other sophisticated forms of cyber-attacks.

In both attacks, it appears the perpetrators simply logged onto the network using the credentials of genuine employees. In the case of Optus, it is reported the credentials were obtained through a simple social engineering technique whilst the credentials of a Medibank employee, with high-level access, were evidently purchased from a Russian cyber-criminal forum.

The Missing Link
Once again, organizations that no doubt invest heavily in data and network security such as Zero Trust Networks, fail to understand that Zero Trust starts with the employee; if you cannot guarantee the identity of the person accessing the network, then everything else counts for naught.

Relying on any form of proxy identification that can be obtained through social engineering or be stolen in any way, and therefore be able to be used by anyone in possession of that proxy identification, is a recipe for cyber disaster, as Optus and Medibank now know, and as Microsoft, Okta, and Uber discovered before them, via Lapsus$ hacking attacks.

The Need for Identity Assurance
Absolute identity assurance can only be provided by biometric authentication, and voice biometrics offers the highest level of protection since it is inherently two factors – a person’s voice plus what the voice is saying (e.g. speaking an OTP). Since it must be the genuine user’s voice speaking the security (proxy) credential, it means that such credentials are rendered useless to everyone but the genuine user.

Organizations that are serious about data and network privacy, that invest heavily in physical and digital protection, must understand that real security starts with guaranteeing the identity of the individual.

Simply put- No Identity Assurance, No Zero Trust!

The good news is that the voice biometric layer can be added as an overlay on top of an organization’s existing security defense layers thereby protecting and leveraging the existing security investments made.

Share this post?