Putting a lid on password honeypots

Consumers are worried about their personal data.

Despite heavy fines and tighter regulation, large-scale hacks still hit the media on a regular basis.

The latest incident with Yahoo is estimated to have exposed at least 500 million users’ personal information. It’s no wonder then that 55% of UK consumers are concerned about their security online.

Although most of us are aware of the tactics hackers use to steal personal information, they are becoming harder to avoid.

A recent report by Verizon revealed that employees are now 7% more likely to fall for a phishing email than they were in 2015, for example.

Hackers often take advantage of consumers’ trust by posing as real service providers or even their employer. Most risks can be mitigated by a quick check within your firm, or a call to customer services, but there is another more malicious form of data theft that consumers are struggling to side-step: the password honeypot.

What is a honeypot?

In recent years, it’s become standard practice for service providers to require users to create online accounts to access their services.

These accounts benefit providers, who can better track how consumers are using their services and secure a permanent contact point in the form of the individual’s email address. It also helps brands to create more personalised experiences for consumers, who can save their preferences, such as delivery details or a wish-list of items to buy later on a retail site.

>See also: Why are Google killing the password?

But these accounts are also a risk to consumers’ personal data – 49% of people use the same login and password combination across different services.

Hackers know this, and deliberately set up digital services to trap users into sharing their username and password combinations. Once they have the login details, the hacker then tests the credentials against all major email, banking and retail websites to find a match.

Many security experts advocate the need to use different login credentials for different websites to minimise the risk of identity theft, but this presents its own problems.

According to Centrify, the average person has to remember 19 passwords for the digital services they use. Consumers don’t have the time or patience to remember randomised usernames and passwords, so get stuck in a constant forget-and-reset loop.

The sheer frustration associated with this process drives people to use easier-to-recall, but riskier, password combinations.

The mobile solution

One solution to the password honeypot threat is mobile authentication. Put simply, mobile authentication creates an additional level of user verification that ensures the person accessing an account is really who they say they are.

As a form of two-factor authentication, it works by asking the user to verify their identity via their mobile phone, usually in the form of a pop-up notification, or by entering a PIN or biometric password. This happens every time the user logs into their accounts or attempts to make a transaction.

Mobile authentication dramatically reduces the risk of tumbling into a password honeypot. Even if hackers have users’ personal information, they cannot access their accounts or make transactions without also having the associated mobile phone and PIN number.

With locally-stored user credentials (the PIN or biometric), this type of authentication can help consumers to circumvent honeypots – as well as the need to remember multiple username and password combinations.

>See also: Are Millennials more careless with passwords?

With mobile authentication services users can also sign up to digital services without sharing any personal information with the service provider.

Instead, data is hashed before being stored on the SIM or on a secure server. No information is shared with the service provider, who receives a pseudonymous token of the user’s identity that is verified by the mobile network operator.

For consumers, they benefit from giving ‘active consent’ that allows them to choose what data they will share with the service provider. As the data relies on the operator network, legitimate service providers can be assured that is accurate and still offer a personalised experience.

GSMA’s Mobile Connect, for example, only requires you to know your mobile number, and nothing else. With greater convenience, consumers and businesses enjoy greater security.

Convenience trumps complexity

Security benefits aside, mobile authentication is the ideal method to protect consumers because of its convenience.

There are almost 5,000,000,000 mobile subscribers globally (GSMA Intelligence), and this number is growing by the second.

With these devices in our pockets, mobile phones are the perfect tool to protect our online identities. Mobile authentication is the key to putting the lid on password honeypots.

 
Sourced by Marie Austenaa, VP and head of personal data, GSMA

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Two-Factor Authentication