In the wake of the crisis currently plaguing the Middle East, a lawsuit aimed at a US DNA testing company has once again shown the dangers involved with weak authentication practices. The company in question, 23andMe, suffered a data breach last year that has ultimately resulted in hackers gaining personal information on 6.9 million customers. The hackers appear to have specifically targeted customers who are of Chinese and Ashkenazi Jewish heritage, with their information being sold on the dark web. Although the company told customers of the data breach, they didn’t inform them of the targeted nature.
The Breach: A Closer Look at Credential Stuffing
According to 23andMe, 14,000 accounts were breached but because of the nature of the data, such as family trees and shareability with relatives, it resulted in a much higher number of records being harvested. 23andMe claims the breaches we due to credential stuffing which is an extremely common form of attack. It involves hackers acquiring username/password combinations that have been hacked from other sources and then applying them to other sites. Therefore, if people reuse the same combination of username and password on multiple websites and services, if anyone is hacked it could lead to their account on a totally different site being compromised.
Credential stuffing is just one of the attack vectors that can compromise password-only websites. For a company holding such sensitive information, it is scarcely believable they would rely on passwords alone.
The Flawed Response: Analyzing 23andMe’s Security Measures
However, following a review of the breach 23andMe then issued a statement saying all existing customers would have to reset their passwords and new and existing customers would then have to use “two-step authentication”. But what they propose is very different from “two-factor authentication”, because the additional step is a code sent to their email address, not to a mobile device. Because an email account can be accessed from anywhere it is not considered a Possession factor by NIST or any other strong authentication authority such as PSD2.
That notwithstanding, multi-factor authentication based on codes sent via SMS and phone calls has its own weaknesses, as many banks and other organizations worldwide can attribute. Opting for an email-based solution shows a complete lack of understanding of what is required.
The Irony of DNA: Identity Assurance with Biometric Authentication
The only true form of identity assurance is biometric authentication, as it is impervious to credential stuffing and every other form of identity theft technique. It’s hard for a voice biometric company like ValidSoft to not see the irony in a company that specializes in DNA, something unique to every individual, not also grasping that biometric authentication is the strongest form of authentication and the only true form of identity assurance precisely because of our DNA. Our voice identifies us because our voice is unique. It’s a lesson other organizations fearful of data breaches would do well to heed.
