Have you ever responded to an unsolicited email from a barrister located in Nigeria who, out of the blue, contacted you? For some inexplicable reason, he saw you as a kind and generous person who undeniably deserved his late client’s inheritance of millions of British Pounds. Well, I have! I just wanted to see what the scam was about. After a couple email exchanges during which I received photos of the recently deceased client – always dressed in the same clothes, including in the framed photo that was clumsily photoshopped and pasted on top of a casket – I was asked to send $500 via Western Union to Senegal (red flag!) to pay for the paperwork and get the process started.
Phishing, Vishing and Smishing in a Nutshell
The Nigerian inheritance email is a prime example of a phishing attack. And along with technological advances, other types of attacks have appeared in recent years, such as vishing and smishing. Let’s take a quick look at what they are:
All of the above attacks are designed to compromise essentially 5 types of data: credentials (passwords, usernames, pin numbers), personal data (name, address, email address), internal data (sales projections, product roadmaps), medical (treatment information, insurance claims) and bank (account numbers, credit card information).
The Consequences of Phishing, Vishing and Smishing Attacks.
Now, a few staggering statistics:
The average cost per compromised record is $150 (IBM’s Cost of a Data Breach Report). Reportedly, 5.2 million records were stolen in Marriott’s most recent breach, so allow me to do the math for you: a potential cost of $780 million. In fairness, no one is immune to a data breach. The average breach costs businesses $3.92 million. The costs can be broken down into several different categories, including loss of productivity, damaged reputation, direct monetary loss, compliance fines, etc.
Is there a remedy or better, a vaccine, against these forms of cyber-attacks?
The Vaccine to Protect Against Phishing, Vishing and Smishing Attacks.
With regard to users’ authentication, there is vaccine of sorts, and it leverages advanced biometrics as well as Blockchain technology. 1Kosmos BlockID is the next-generation contact-free authentication solution that goes far beyond what 2FA, MFA and most passwordless applications on the market have to offer. The company’s platform is built on three pillars: Enrollment, authentication and verifiable credentials. The goal is to focus at all times on ID proofing, which is the irrefutable approach that is used to verify and authenticate the identity of an employee or a customer who accesses a system or application.
The enrollment of employees and customers in the BlockID mobile app consists of triangulating a given claim (ID photo, address, last name, etc.) with a multitude of company or government-issued documents (driver’s license, passport, etc.) as well as sources of truth (AAMVA, State Department, passport’s issuing country, passport chip, credit cards, bank account, etc.), including biometrics like a liveness test. The liveness test is performed to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person. This biometric feature is essential because, ultimately, facial spoofing which is the task of creating false facial verification by using a photo, video, mask, or a different substitute for an authorized person’s face is not too difficult if someone really wants to impersonate you. BlockID’s enrollment reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.
The biometric identifier BlockID leverages for authentication is a liveness test. Each time a user needs to authenticate to access a critical system or transact financially, he or she performs a liveness test. If it doesn’t match the liveness test performed during the enrollment process, the authentication fails. Moreover, a liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’s rather not share their face with the company they are targeting. BlockID’s authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.
The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials in their digital form. Verifiable credentials are tamper-evident credentials that have authorship that can be cryptographically verified. Users can share them through API calls with third parties and with explicit consent. Thus, the BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus eliminating data verification costs in the process. Our verification process is fully W3C compliant. It means that the digital credentials we leverage respond to a specific standard and format and go through a secure and vetted verification process, so they can’t be shared or leveraged to commit fraud. Moreover, they respect a robust privacy strategy, so they can comply with regulatory requirements across legal jurisdictions. Finally, the attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.
Lastly, BlockID’s distributed ledger technology stores users’ data encrypted and creates a permanent, immutable record that is invulnerable to tampering.
3 Main Benefits to Conclude…
BlockID creates a paradigm shift in the passwordless industry by bringing 3 main benefits: