Cyber security will always be an issue,
“until we get rid of passwords”
  — Frank Abagnale Jr

How can organisations beat malware and ransomware; and get a stronger foothold in the cyber security landscape? Frank Abagnale Jr, security consultant and former con man, says the tables will never be turned "until we get rid of passwords" Cyber security will always be an issue, “until we get rid of passwords” — Frank Abagnale Jr image

Frank Abagnale Jr is a name some of you may be familiar with. His early life, between 16 and 21, has been documented in many adaptations: books, plays, TV series’ and even a film; the playful biographic, Catch Me If You Can, produced and directed by Steven Spielberg.

“Most of these creatives have never even met me,” joked Mr Abagnale during his keynote at Oktane19 in San Francisco.

Frank Abagnale Jr during his “flying” days. “What equipment are you on?”

Frank Abagnale Jr, today: a security consultant and lecturer for the FBI academy and field offices. Photo by Jeffrey Langlois/Palm Beach Daily News.

Waiting in the lobby of the Beaumont Hotel, Mayfair, I was somewhat nervous about meeting the subject of this film, portrayed so well by Leonardo DiCaprio. His escapades, posing as a commercial aircraft pilot, a doctor and a lawyer, seemed so far removed from reality that I didn’t quite know what to expect — I needn’t have been anxious though, I was greeted warmly and began an hour-long interview with Mr Abagnale and Ori Eisen, the founder and CEO of Trusona — the identity theft protection company based in Scottsdale, Arizona.

Ridding the world of passwords

Some would argue that we’re losing the cyber security war; data breaches are an almost daily occurrence and organisations (both public and private) are being overwhelmed.

The tables won’t be turned “until we get rid of passwords,” said Mr Abagnale, almost immediately. “I can’t believe that passwords were developed in 1964, when I was 16-years-old, and now today, at 71, we’re still using passwords as a protocol to get into security systems. I don’t understand why there are still passwords around when we know passwords are the root cause of all these issues that we have.”

This comment was no understatement: Microsoft estimates that 63% of network intrusions are a result of compromised user passwords and the latest Verizon Data Breach Investigations Report found that 81% of hacking-related breaches involved weak or stolen passwords.

The death of the password in the authentication age

Has the password had its day? Is authentication the future? Read here

A no-password reality is necessary for a secure future — and this is why Mr Abagnale joined Trusona as an advisor; the company founded by his friend of 20 years, Mr Eisen.

But, how does one even go about championing ditching the password; something so ingrained in society? Before breaking down the cultural hurdles it was first necessary to develop the technology: anti-replay.

According to TechTarget, anti-replay makes ‘it impossible for a hacker to intercept message packets and insert changed packets into the data stream between a source computer and a destination computer.’

“Without anti-replay, a no-password future is impossible,” continued Mr Abagnale. “And, over the last four years we’ve been developing it. It is now accomplished.”

It seems that organisations are willing to embrace the technology. Trusona have over 200 customers, including the USA’s largest bank and insurance provider. “It’s the only insured verification system in the world,” claimed Mr Abagnale. “And, we’re trying to bring it out to the rest of the world.”

“There are different levels of Trusona. We developed it at a level 4 security for the Pentagon, the CIA and the FBI, but then realised very quickly we could take it to level 2 — a tool for consumers to use and eliminate the need for passwords,” he explained.

Passwords: the great security vulnerability

The password is insecure: a hacker could log into an individual’s bank account and they wouldn’t even know. This is first issue; passwords are easily lost and even more easily stolen, via phishing or malware attacks. Once a cybercriminal has access to the password, they can replay it over and over gain.

“Unfortunately, because passwords are free and easy, no one gave design much thinking,” said Mr Eisen. “But, now the cost of passwords is obvious” — they’re the great security vulnerability and largely responsible for the data breaches that pepper news headlines.

Historically, security and user experience have been at odds with each other, because everyone believed that making systems less user friendly (longer, more complex passwords, for example) made them more secure — this is a fallacy and hinders adoption rates, making systems, ironically, less secure.

“This is not a computer-to-computer interaction with longer keys. These are humans we’re talking about,” continued Mr Eisen.

“My first 20 years at the FBI dealt with counterfeiting, forgeries, embezzlement, and the last 20 years have all been cyber” — Mr Abagnale

Ease of use: the key to changing security culture

As a security practitioner, and as a former head of risk for Verisign and American Express, Mr Eisen emphasised that ease of use is the most important thing.

This view is similar to Jared Spool, the world renowned UX (user experience) expert, who famously coined the phrase: ‘If it’s not usable, it’s not secure’:

“When we talk about passwords, the technology has to be frictionless,” reiterated Mr Abagnale.

“I always look to the future, and in the next two to three years I see passwords being gone. I have three sons and five grandchildren — one day, in the not too distant future, I see them being able to access a range of services at the touch of a button.” He used the example of a car dealership:

“I’d like to buy this car and finance it through a bank with the best rate via an app. I’m not telling the dealer where I bank, what my account number is, who employs me, how much money I make: I don’t have to give them that information. And with Trusona, all of the data is kept with the bank or the phone company; we keep none. So if tomorrow they would hack Trusona, they get nothing because we keep no data.”

Identity and access management –– mitigating password-related cyber security risks

Mike Newman, CEO of My1Login, helps explore the importance of identity and access management in mitigating password-related cyber security risks. Read here

Ditching the password

The world is entrenched in passwords, so the challenge is helping organisations recognise the value of ditching the password and scaling a system throughout their organisation that employees and consumers can get on board with.

There are three different layers to this, according to Mr Eisen.

People are willing to change: Not only are users willing to change behaviour — but they also report higher satisfaction rates with passwordless multi-factor authentication (MFA) logins. In a study commissioned by Trusona and conducted by Blink, 70.2% of users chose Trusona’s passwordless MFA over traditional passwords — with 31% more satisfied with the MFA login. Also, the older age group (55+) was 10% more likely to try passwordless MFA than the two younger age brackets. “This isn’t because people love Trusona, it’s because they hate passwords,” explained Mr Eisen. “If a company doesn’t realise how much resentment is fomenting in people, they should first ask their customers with a simple survey: do you like using our passwords,” he asked?
• Cost: The second is cost. The call centres of any large organisation are inundated with calls about forgotten passwords. According to the study, nearly 30% of participants using passwords needed help resetting them at least once during the 3-week timeframe — at ~$25/call that adds up fast.
• Security: “With this technology, every single time someone uses your identity, you need to say yes, this is me right now,” said Mr Eisen. “For years and years we have shunned the users away from security and this is the wrong way to go about it. Let them be part of the solution and help with security.

“It’s hard to change, it’s not easy, but if you — as a responsible organisation — don’t realise you need to change, you are a laggard,” he continued.

Mr Eisen (L) and Mr Abagnale (R) are now working together to rid the world of the troublesome password.

“Criminals are all the same”

“One thing that never changes is that [cyber]criminals [,con artists] are all the same,” said Mr Abagnale. The surface area is the thing that’s different, but the motivations — in general — are the same: for a young Frank Abagnale Jr, he was physically counterfeiting cheques, while physically impersonating pilots, lawyers and doctors. Today, all of this still happens, but in the virtual world — and it’s a lot easier.

In the second part of this interview, we explored Mr Abagnale’s work at the FBI, the transition of crime from the physical to the digital and how his early life experiences impacted his dedication to preventing cybercrime.