Don’t gamble with your identity verification practices

Déjà vu can suck sometimes.

Earlier this year, I wrote about the importance of organizations reviewing their password management strategies. I also emphasized that companies need to urgently review their employee access protocol, writing that companies must “make it a point to do continuous employee training to help your teams avoid being duped by phishing and malware tactics.”

But casino gaming companies MGM Resorts International and Caesars Entertainment were caught short in this area in recent weeks by hackers using identity-based and social engineering attacks that spoofed identity to gain access to secure systems.

According to reports, MGM and Caesars were both customers of identity management company Okta. The firm had seen continuous patterns of activity that showed that bad actors tried to get passwords to privileged user accounts. Okta issued an alert to clients in late August warning about incoming threats by hackers to gain access to “manipulate the delegated authentication flow via Active Directory (AD) before calling the IT service desk at a targeted organization, requesting a reset of all MFA factors in the target account.”

Caesars noted in a filing that an “unauthorized actor” had stolen data in a social engineering attack targeting an outsourced IT support vendor, according to an InfoSecurity report. Caesars had seen some evidence of recent suspicious activity and learned on September 7 that its systems had been compromised, with the bad actors hacking into a loyalty program database with members’ Social Security and driver’s license numbers.

According to reports, the hacker groups identified as BlackCat/ALPHV and Scattered Spider are behind these attacks. Caesars and MGM were held to cash ransom demands in exchange for not releasing the data into the wild. Some reports noted that both organizations complied with the demands by paying the hackers ‘tens of millions of dollars.’

Both events showed a consistent pattern of using an employee’s identity and using social engineering to fool the IT helpdesk into providing access. According to a Reuters report, these ransomware bandits also breached the systems of several other companies operating in manufacturing, retail, and technology.

Understanding black hat attacks

Ransomware heists have become increasingly common in recent years as they have become more profitable for hackers.

The formula is well-known: black hat hackers encrypt a company’s data and demand a ransom payment for the decryption key. If the company does not pay the ransom, the hackers threaten to release the data to the public or sell it to other criminals. These cyber thieves target companies of all sizes but are often keen on enterprise organizations with valuable data.

This vulnerability is not unique to MGM nor Okta; it’s a systemic problem with multi-factor authentication. MFA, which was designed to authenticate devices, falls short in secure enrollment and recovery processes which is critical where identifying the human user is critical. This is an acknowledged limitation stemming from its original design as it wasn’t developed to address this specific challenge.

It’s worth re-mentioning that a 2022 study by security company Tessian and Stanford University professor Jeff Hancock found that employee mistakes and human errors were the cause of 88% of data breach events. IBM Security pegged that same number higher, to 95%.

In addition to the financial cost of the ransom payment, businesses can also lose revenue and productivity due to downtime and the need to recover from the attack. Ransomware heists can also damage a company’s reputation and erode customer trust.

How to combat ransomware attempts

Sadly, these events are likely to continue until industry mechanisms are installed to fact-check a person’s identity. This should happen across the board.

Should companies enact a ‘secret word’ response to verify one’s identity? Here’s a simple analogy: when you accidentally trip your home security system at home, your home security company contacts you to confirm if a break has occurred. When you answer, the company may ask for a ‘secret word’ to verify that it is you, the homeowner, and it was an accidental trip of the system. It sounds simple, but it could be a hedge against similar social engineering and phishing hacks. But this simplistic solution doesn’t scale and has its own vulnerabilities.

Taking this to the next level, a better solution to this problem would be an automated method to digitally validate a conversation on a peer-to-peer basis. This would verify that these identified persons are conversing within or outside an organization. It’s almost eerily similar to an early Star Trek episode (Whom Gods Destroy) when Spock encounters duplicate versions of Captain Kirk and requires a specific answer from Captain Kirk to be assured of the real Kirk’s identity. Okta has suggested adding video to the authentication workflow to address the spoofing issue, but this can easily be circumvented by all of the generative AI-based solutions in the market, similar to the Captain Kirk identity duplication.

Identity technology can solve this issue at scale, and innovative startup companies have begun to emerge. AI-enabled software solutions can add routine flows within your processes to prompt users to verify their identity as additional security before transactions or account changes. Today there are systems that can also verify attributes such as age and account ownership before speaking to an agent.

Numerous use cases can extend from call center verification to enterprise use verification and even into other business and personal categories in the years ahead. We should all be assured that we are interacting authentically with the person(s) who they say they are. It might make us feel safer and more secure in our connected world.